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Abstract 


Hybrid systems are systems that exhibit a combination of discrete and continuous behavior. Typical hybrid 
systems include computer components, which operate in discrete program steps, and real-world components, 
whose behavior over time intervals evolves according to physical constraints. Important examples of hybrid systems 
include automated transportation systems, robotics systems, process control systems, systems of embedded devices, 
and mobile computing systems. Such systems can be very complex, and very difficult to describe and analyze. This 
paper presents the Hybrid Input/Output Automaton (HIOA) modeling framework, a basic mathematical framework 
to support description and analysis of hybrid systems. An important feature of this model is its support for 
decomposing hybrid system descriptions. In particular, the framework includes a notion of external behavior 
for a hybrid I/O automaton, which captures its discrete and continuous interactions with its environment. The 
framework also defines what it means for one HIOA to implement another, based on an inclusion relationship 
between their external behavior sets, and defines a notion of simulation, which provides a sufficient condition for 
demonstrating implementation relationships. The framework also includes a composition operation for HIOAs, 
which respects the implementation relation and a notion of receptiveness, which implies that an HIOA does not 
block the passage of time. The framework is intended to support analysis methods from both computer science 
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and control theory. This work is a simplification of our earlier HIOA model. The main simplification in the new 
model is a clearer separation between the mechanisms used to model discrete and continuous interaction between 
components. In particular, the new model removes the dual use of external variables for discrete and continuous 
interactions. 

© 2003 Elsevier Science (USA). All rights reserved. 


1. Introduction 
1.1. Overview 


Recent years have seen a rapid growth of interest in hybrid systems—systems that intermix discrete 
and continuous behavior [9,10,12,20,28,34,51,62,70,73,80]. Typical hybrid systems include computer 
components, which operate in discrete program steps, and real-world components, whose behavior over 
time intervals evolves according to physical constraints. Such systems are used in many application 
domains, including automated transportation, avionics, automotive control, robotics, process control, 
embedded devices, consumer electronics, and mobile computing. 

Hybrid systems can be very complex, and therefore very difficult to describe and reason about. At the 
same time, because they involve real-world activity, they often have stringent safety requirements. This 
combination of factors leads to a need for rigorous mathematical models for describing hybrid systems 
and their properties, and for practical analysis methods based on these models. 

In this paper, we present a basic mathematical framework to support description and analysis of hybrid 
systems: the Hybrid Input/Output Automaton modeling framework. A Hybrid I/O Automaton (HIOA) 
is a kind of nondeterministic, possibly infinite-state, state machine. The state of an HIOA is divided 
into state variables, and it may also have additional input variables and output variables. The state 
can change in two ways: instantaneously by the occurrence of a discrete transition, or according to 
some trajectory when time passes. Formally, a discrete transition is a triple consisting of a source state, 
an action (for synchronization with other automata), and a target state. Trajectories are functions that 
describe the evolution of the state variables, along with the input and output variables, over intervals of 
time. Trajectories may be continuous or discontinuous functions. 

HIOAs are intended to be used to model all components of hybrid systems, including physical 
components, controllers, sensors, actuators, computer software, communication services, and humans 
that interact with the rest of the system. The framework is very general: for example, we do not 
require that trajectories be expressible using systems of equations of a particular form, and we do not 
require that discrete transitions be expressible using a particular logical language. Particular kinds of 
systems of equations and particular logical languages can be used to define special cases of the general 
model. 

The most important feature of the hybrid I/O automaton framework is its support for decomposing 
hybrid system description and analysis; this is important because many hybrid systems are too complex 
to understand all at once. A key to this decomposition is that the framework includes a rigorously defined 
notion of external behavior for hybrid I/O automata, which captures their discrete and continuous 
interactions with their environment. The external behavior of each HIOA is defined by a simple 
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mathematical object called a trace. The framework also includes notions of abstraction and parallel 
composition. 

For abstraction, the framework includes notions of implementation and simulation, which can be 
used to view hybrid systems at multiple levels of abstraction, starting from a high-level version that 
describes required properties, and ending with a low-level version that describes a detailed design or 
implementation. In particular, the HIOA framework defines what it means for one HIOA, A, to implement 
another HIOA, 6, namely, any trace that can be exhibited by A is also allowed by B. In this case, A 
might be more deterministic than 6, in terms of either discrete transitions or trajectories. For instance, 
B might be allowed to perform an output action at an arbitrary time before noon, whereas A produces 
the same output sometime between 10 and 11 AM. Or 6 might allow an output variable y to evolve with 
y € [0, 2], whereas A might ensure that y = 1. 

The notion of a simulation relation from A to B provides a sufficient condition for demonstrating that 
A implements B. A simulation relation is defined to satisfy three conditions, one relating start states, one 
relating discrete transitions, and one relating trajectories of A and B. 

For parallel composition, the framework provides a composition operation, by which HIOAs mod- 
eling individual hybrid system components can be combined to produce a model for a larger hybrid 
system. The model for the composed system can describe interactions among the components, including 
joint participation in discrete transitions and trajectories. Composition requires certain “compatibility” 
conditions, namely, that each output variable and output action be controlled by at most one automaton, 
and that internal variables and actions of one automaton cannot be shared by any other automaton. The 
composition operation respects the implementation relation, for example, if A; implements A> then the 
composition of A; and B implements the composition of Az and B. Composition also satisfies projection 
results saying that a trace of a composition of HIOAs projects to give traces of the individual HIOAs, 
and pasting results saying that compatible behaviors of components are “pastable” to give behaviors of 
the composition. Such results are essential if the models are to be used for compositional design and 
verification of systems. In addition, the framework includes hiding operations for output actions and 
variables, which respect the implementation relationship. 

An interesting complication that arises in the hybrid setting is the possibility that a state machine 
could “prevent time from passing”, for example, by blocking it entirely, or by scheduling infinitely many 
discrete actions to happen in a finite amount of time—so-called Zeno behavior. The HIOA framework 
includes a notion of receptiveness, which says that an HIOA does not contribute to producing Zeno 
behavior, and which (under suitable compatibility conditions) is preserved by composition. We also give 
simple sufficient conditions for these compatibility conditions to hold. 

The generality of the HIOA framework means that a large collection of analysis methods, derived 
from both discrete and continuous analysis methods, can be applied to systems modeled as HIOAs. 
For example, inductive methods for proving invariant assertions and simulation relationships (see, e.g. 
[58,72]), which are commonly used in computer science for reasoning about discrete systems, can 
be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis 
methods that should be extendible include proving progress using well-founded sets (see, e.g. [26]), 
assume-guarantee compositional reasoning (e.g. [16,36]), and deducing properties within temporal logic 
and other logical formalisms. All of these methods could be supported by interactive theorem proving 
software. Automatic methods based on state-space searching and based on decision procedures for 
automata on infinite paths (see, e.g. [16]) should also be extendible; however, these methods will apply 
only to special cases of the general model. 
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Likewise, key methods used in control theory for reasoning about continuous systems, such as 
stability analysis using Lyapunov functions (e.g. [79]) and robust control techniques (e.g. [23]), should 
be extendible to hybrid systems using HIOAs. 


1.2. Evolution of the HIOA framework 


The HIOA framework has evolved from two earlier input/output automaton models: the basic I/O 
automaton model of Lynch and Tuttle [55,56] and the timed I/O automaton model of Lynch, Vaandrager 
et al. [60,74]. Basic I/O automata consist essentially of states, start states, and discrete transitions. They 
have been used fairly extensively to describe and analyze asynchronous distributed algorithms—see, for 
example [48]. 

Timed I/O automata add explicit time-passage steps, which allow time to pass in discrete jumps. In 
the simplest cases, time-passage steps involve just the passage of time, with no other changes to the state. 
However, in general, they are allowed to change the state in more elaborate ways, including changing 
variables that represent physical quantities. Timed I/O automata have been used mainly to describe 
timing-based distributed algorithms and communication protocols (e.g. [19,25,45,75—78]). Timed I/O 
automata have also been used in a few cases to model simple hybrid system “challenge problems”, 
including the Generalized Railroad Crossing problem [30,31]. In these examples, the time-passage steps 
include changes to physical quantities such as train position and water level. 

An early version of the HIOA modeling framework appeared in [53,54]. It augmented timed I/O 
automata by adding input and output variables and explicit trajectories; the trajectories describe the 
evolution of the state and external variables over intervals of time, rather than just their cumulative 
changes. This version of the HIOA framework was used to describe and analyze many hybrid systems 
examples, including automated transportation systems [42,44,49,50,61,81—83], intelligent vehicle high- 
way systems [22,47], aircraft control systems [43,46], automotive control systems [24], and consumer 
electronics systems [11]. 

We summarize the results of these modeling efforts briefly. In these examples, HIOAs were used 
to model system components of many different kinds, including real-world components, computer 
programs, communication channels, sensors, actuators, and humans (for example, pilots interacting with 
aircraft control systems). Individual component automata were generally highly nondeterministic, and 
often allowed for bounded uncertainty in the values of quantities represented in the state. Component 
states often included timing information, for example, the current time and deadlines for the performance 
of certain actions. Composition was used to combine the component HIOAs into models of the complete 
systems. Levels of abstraction were used to describe several kinds of relationships between HIOAs, for 
example: the relationship between a detailed view of a system and a more abstract view; the relationship 
between a description of a system in terms of higher derivatives (e.g., acceleration) and a description 
in terms of lower derivatives (e.g., velocity or position); and the relationship between a version of a 
system that includes periodic sampling and correction and a version in which adjustment is continuous, 
but within an envelope of uncertainty. 

The examples were analyzed using a variety of methods, including invariant assertions, simulation 
relations, compositional reasoning, differential equations, and integration. Many of the invariants and 
simulation relations involved timing data and data representing real-world quantities. Invariants and 
simulation relations were proved using inductive arguments on the length of executions, as is usual 
in the purely discrete setting. However, unlike in the discrete setting, the proofs in the hybrid setting 
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included two different kinds of inductive steps: for discrete steps and trajectories. Arguments about 
discrete steps involved the sort of algebraic deduction that is typical in the discrete setting, whereas 
arguments about trajectories involved manipulation of differential equations and integrals. For example, 
a technique involving “positive invariant sets”, derived from control theory, was used in [15] for showing 
that certain properties of the state are preserved during trajectories. 

In general, the formal HIOA framework proved to be adequate for these examples. However, it was 
not ideal, because it introduced some complications that proved to be distracting. The main source of 
complication seemed to be the fact that the model has two mechanisms for modeling discrete commu- 
nication: shared actions and shared variables. Also, it uses the same mechanism—shared variables—to 
model both discrete and continuous interactions between components. This intertwining of mechanisms 
led to some technicalities, for example, each automaton had to include a special environment action e, 
which is associated with discrete changes to input variables. To simplify matters, we were led to develop 
the new version of the HIOA model presented in this paper. The new version has a clearer separation 
between the mechanisms used to model discrete and continuous activity, and has only one mechanism 
for discrete communication: shared actions. 

In the literature on discrete state machine models, both shared actions and shared variables are popular 
mechanisms for modeling interactions between system components. The shared action approach is used, 
for example, in the extensive research literature on process algebras (e.g. [35,66,67]), and in the work on 
T/O automata (e.g. [49,55]). The shared variable approach is used, for example, in the temporal logic and 
model-checking communities (e.g. [7,40,64]). The expressive power of shared action and shared variable 
communication is similar, and translations between special cases of these two types of models have 
been developed [18,39]. Choosing between these two forms of communication seems to be generally a 
matter of custom and convenience. One advantage of the shared-action approach is that it leads to simple 
mathematical notions of external behavior of state machines, based on sequences of actions (which are 
usually called “traces’’). 

The new HIOA framework presented in this paper uses (only) shared actions for discrete communica- 
tion, and uses shared variables for continuous communication. Discrete events are not allowed to make 
changes to shared variables, and the special environment action e is eliminated. Because the new model 
maintains a clearer separation between mechanisms for describing discrete and continuous activity, it 
is simpler overall—in its definitions, result statements, and proofs—than the earlier HIOA model of 
[53,54]. 

Another simplification in the new framework appears in the definitions and results involving recep- 
tiveness. In the original HIOA model of [53,54], and in other work that dealt with receptiveness [1,21,74] 
for discrete systems, receptiveness was defined in terms of two-player games between the system and its 
environment. In such a game, the goal of the system is to construct an infinite, non-Zeno execution, and 
the goal of the environment is to prevent this from happening. The simplification in this material in the 
new model is a result of our modeling of the game itself as an HIOA. 


1.3. Other related work 


Besides the models already discussed above, other precursors to the new HIOA model include the phase 
transition system models of [3,38,63] and Branicky’s hybrid control systems [13,14]. Phase transition 
systems are similar to HIOAs in their combined treatment of discrete and continuous activity, for example, 
they have notions similar to our trajectories and hybrid sequences. However, work on phase transition 
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system models does not address system decomposition issues such as external behavior, implementation 
relationships, and composition, which are emphasized in our paper. Branicky’s hybrid control systems 
are also similar to ours in their modeling of discrete and continuous activity. This work has a control 
theory flavor, focusing on standard configurations including plant, controller, sensor and actuator, and 
focusing on stability results. Again, system decomposition issues are not addressed. 

System decomposition issues, including levels of abstraction, compositionality, and receptiveness have 
been addressed by Alur and Henzinger [8] in their work on hybrid reactive modules. A major difference 
between this work and ours is that reactive modules communicate via shared variables and not via shared 
actions. Another difference is that hybrid reactive modules include an additional layer of structure tailored 
to modeling synchronous systems—structure that is not present in the HIOA model. In [8], a definition of 
receptiveness based on two-player games, similar to the definition in [53,54], is proposed, and is shown 
to be preserved by parallel composition. However, in [8], no circular dependencies (“feedback loops”) 
are allowed among the continuous variables of different components, a restriction that greatly simplifies 
the analysis. 

In [6,33], compositional trace-based semantics are presented for Statecharts-like languages that support 
hierarchical design of hybrid systems. These languages, called Charon and Masaccio, respectively, allow 
one to describe hierarchical state machines that communicate with their environment using shared 
variables. Communication via shared actions is not supported. Besides parallel composition and variable 
hiding, the languages also contain other operations required for the construction of hierarchical state 
machines, such as variable renaming and serial composition. The trace semantics presented in [6,33] for 
Charon and Masaccio is more concrete than the one that we present here: discrete events that do not 
change the observable part of the state are not eliminated from traces. As a consequence, a system that 
just lets time pass and performs a discrete “tick” step once every time unit is not an implementation of the 
same system without any discrete steps. The two systems are equivalent according to the trace semantics 
of this paper. We believe that our semantics are more intuitively appealing; the price we pay is that the 
proofs of our compositionality results are more complicated. Ref. [33] also contains some interesting 
proof rules for assume-guarantee reasoning. In [6,33], Zeno behavior and the issue of receptiveness are 
not considered. 


1.4. Paper organization 


The rest of this paper is organized as follows. Section 2 contains mathematical preliminaries. Next, 
Section 3 defines notions that are useful for describing the behavior of hybrid systems, most importantly, 
trajectories and hybrid sequences. Section 4 defines Hybrid Automata (HAs), which contain all of the 
structure of HIOAs except for the classification of external actions and variables as inputs or outputs. It 
also defines external behavior for HAs and implementation and simulation relationships between HAs. 
Section 5 presents composition and hiding operations for HAs. Section 6 defines Hybrid I/O Automata 
(HIOAs) by adding an input/output classification to HAs, and extends the theory of HAs to HIOAs. 
It also introduces a “strong compatibility” condition that ensures that HIOAs are composable, and 
describes situations in which strong compatibility is guaranteed to hold. Section 7 presents the theory of 
receptiveness, including a main theorem stating that receptiveness is preserved by composition (assuming 
strong compatibility). Finally, Section 8 presents some conclusions. Examples derived from earlier work 
on hybrid system modeling are included throughout. Appendix A lists some notational conventions used 
in the paper. 
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2. Mathematical preliminaries 


In this section, we give basic mathematical definitions that will be used as a foundation for our 
definitions of hybrid automata and hybrid I/O automata. These definitions involve functions, sequences, 
partial orders, and time. The automata definitions appear later in Sections 4 and 6. Since most of the 
definitions here are reasonably standard, we encourage the reader to skip ahead to Section 3 and return 
to this section as needed. 


2.1. Functions 


If f is a function, then we denote the domain and range of f by dom(f) and range(f), respec- 
tively. If also S is a set, then we write f [S for the restriction of f to S, that is, the function g with 
dom(g) = dom(f) O S such that g(c) = f (c) for each c € dom(g). 

We say that two functions f and g are compatible if f [dom(g) = g{dom(/). If f and g are compatible 
functions then we write f U g for the unique function h with dom(h) = dom(f) U dom(g) satisfying the 
condition: for each c € dom(h), if c e€ dom(f) then h(c) = f (c) and if c € dom(g) then h(c) = g(c). 
More generally, if F is a set of pairwise compatible functions then we write |J F for the unique 
function h with dom(h) = | J{dom(f)| f € F} satisfying the condition: foreach f € F andc € dom(f), 
h(c) = f(c). 

If f is a function whose range is a set of functions and S is a set, then we write f |S for the function 
g with dom(g) = dom(f) such that g(c) = f(c)[S for each c € dom(g). The restriction operation | is 
extended to sets of functions by pointwise extension. Also, if f is a function whose range is a set of 
functions, all of which have a particular element d in their domain, then we write f }d for the function 
g with dom(g) = dom(f) such that g(c) = f(c)(d) for each c € dom(g). 

We say that two functions f and g whose ranges are sets of functions are pointwise compatible if 
for each c € dom( f) N dom(g), f(c) and g(c) are compatible. If f and g have the same domain and 
are pointwise compatible, then we denote by f Ug the function h with dom(h) = dom(f) such that 
h(c) = f(c) U g(c) for each c € dom(h). 


2.2. Sequences 


Let S be any set. A sequence over S is a function from a downward closed subset of the natural 
numbers to S. Thus, the domain of a sequence is either the set of all natural numbers, or is of the form 
{0,...,k}, for some natural number k. In the first case we say that the sequence is infinite, and in the 
second case finite. The sets of finite and infinite sequences over S are denoted by S* and S®, respectively. 
Concatenation of a finite sequence with a finite or infinite sequence is denoted by juxtaposition. We use 
à to denote the empty sequence, that is, the sequence with the empty domain. The sequence containing 
one element c € S is abbreviated as c. We say that a sequence o is a prefix of a sequence p, denoted by 
o < p, ifo = p[dom(c). Thus, o < p if either o = p, or ø is finite and p = co’ for some sequence 
o’. If o is a nonempty sequence then head(c) denotes the first element of o and tail(a) denotes o with 
its first element removed. Moreover, if ø is finite, then last(o ) denotes the last element of o and init(c) 
denotes o with its last element removed. 
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2.3. Partial orders 


We recall some basic definitions and results regarding partial orders (posets), and in particular, 
complete partial orders (cpos) from [29,32]. A partial order (poset) is a set S together with a binary 
relation E that is reflexive, antisymmetric, and transitive. In the sequel, we usually denote posets by the 
set S without explicit mention to the binary relation E. 

A subset P C S is bounded (above) if there is ac € S such that d E c for each d € P; in this case, c 
is an upper bound for P. A least upper bound (lub) for a subset P C S is an upper bound c for P such 
that c E e for every upper bound e for P. If P has a lub, then it is necessarily unique, and we denote 
it by |_| P. A subset P C S is directed if every finite subset Q of P has an upper bound in P. A poset 
S is complete, and hence is a complete partial order (cpo) if every directed subset P of S has a lub 
in S. 

We say that P’ C S dominates P C S, denoted by P E P’, if for every c € P there is some c’ € P’ 
such that c E c’. We use the following two simple lemmas, adapted from [32] (Lemmas 3.1.1 and 3.1.2). 


Lemma 2.1. If P, P’ are directed subsets of acpo Sand P E P’ then |_| P E ||| P’. 


Lemma 2.2. Let P = {cij |i € I, j € J} be a doubly indexed subset of a cpo S. Let P; denote the set 
{cij | j € J} for each i € I. Suppose 


(1) P is directed, 
(2) each P; is directed with lub ci, and 
(3) the set {c; |i € I} is directed. 


Then UP = Ufc; |i € I}. 


A finite or infinite sequence of elements, co, cj, C2, ..., of a poset S is called a chain if ci E cj+ 1 for 
each non-final index i. We define the limit of the chain, lim;—oo c;, to be the lub of the set {cg, c1, c2, .. .} 
if S contains such a bound; otherwise, the limit is undefined. Since a chain is a special case of a directed 
set, each chain of a cpo has a limit. 

A function f : S —> S’ between posets S and S’ is monotone if f (c) E f(d) whenever c E d. If f is 
monotone and P is a directed set, then the set f (P) = {f (c) |c € P} is directed as well. If f is monotone 
and f (L] P) = L| f (P) for every directed set P, then f is said to be continuous. 

An element c of a cpo S is compact if, for every directed set P such that c E |_| P, there is some 
d € P such that c E d. We define K(S) to be the set of compact elements of S. A cpo S is algebraic if 
every c € S is the lub of the set {d € K(S) |d E c}. A simple example of an algebraic cpo is the set of 
finite or infinite sequences over some given domain, equipped with the prefix ordering. Here the compact 
elements are the finite sequences. 


2.4. Time 


Throughout this paper, we fix a time axis T, which is a subgroup of (R, +), the real numbers with 
addition. We assume that every infinite, monotone, bounded sequence of elements of T has a limit in T. 
The reader may find it convenient to think of T as the set R of real numbers, but the set Z of integers and 
the singleton set {0} are also examples of allowed time axes. We define THs {te T|t > O}. 
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An interval J is a nonempty, convex subset of T. We denote intervals as usual: [t1, t2] = {t € T|t) < 
t < to}, etc. An interval is left-closed (right-closed) if it has a minimum (resp., maximum) element, and 
left-open (right-open) otherwise. An interval is closed if it is both left-closed and right-closed, and open if 
itis both left-open and right-open. We write min(J) and max(J/) for the minimum and maximum elements, 
respectively, of an interval J (if they exist), and inf(J) and sup(J/) for the infimum and supremum, 
respectively, of J in T U {—00, 00}. For K C Tandt € T, we define K + t = {t' + t |t! € K}. Similarly, 
for a function f with domain K, we define f + t to be the function with domain K + t satisfying, for 
each t Ee K +t, (f +t) (t) = fE -—t). 


3. Describing hybrid behavior 


In this section, we give basic definitions that are useful for describing discrete and continuous behavior 
of a system or system component, including discrete and continuous changes to the system’s state, and 
discrete and continuous flow of information into and out of the system. The key notions are static and 
dynamic types for variables, trajectories, and hybrid sequences. 


3.1. Static and dynamic types 


We assume a universal set V of variables. A variable represents either a location within the state of a 
system or a location where information flows from one system component to another. For each variable 
v, we assume both a (static) type, which gives the set of values it may take on, and a dynamic type, which 
gives the set of trajectories it may follow. Formally, for each variable v we assume the following: 

e type(v), the (static) type of v. This is a nonempty set of values. 
e dtype(v), the dynamic type of v. This is a set of functions from left-closed intervals of T to type(v) 
that satisfies the following properties: 

(1) (Closure under time shift) 

For each f € dtype(v) and t € T, f +t € dtype(v). 

(2) (Closure under subinterval) 

For each f € dtype(v) and each left-closed interval J C dom( f), f [J € dtype(v). 

(3) (Closure under pasting) 

Let fo, fi, f2, ... be a sequence of functions in dtype(v) such that, for each index i such that f; 
is not the final function in the sequence, dom( fi) is right-closed and max(dom(f;)) = min 
(dom( fj+1)). Then the function f defined by f(t) £ f;(t), where i is the smallest index such that 
t € dom( fi), is in dtype(v). 
The pasting-closure property is useful for modeling “discontinuities” in the evolution of variables caused 
by discrete transitions. Dynamic types provide a convenient way of describing restrictions on system 
behavior over time intervals, for example, restrictions on the behavior of system input variables. 


Example 3.1 (Discrete variables). Let v be any variable and let C be the set of constant functions from 
a left-closed interval to type(v). Then C is closed under time shift and subinterval. If the dynamic type 
of v is obtained by closing C under the pasting operation, then v is called a discrete variable. This is 
essentially the same as the definition of a discrete variable in [63]. 


114 N. Lynch et al. / Information and Computation 185 (2003) 105—157 


Loe 


0 4 


Fig. 1. Example of a function in a dynamic type based on continuous functions. 


Example 3.2 (Standard real-valued function classes). If we take T = R and type(v) = R, then other 
examples of dynamic types can be obtained by taking the pasting closure of standard function classes 
from real analysis, such as the set of continuous functions, the set of differentiable functions, the set of 
functions that are differentiable k times (for any k), the set of smooth functions, the set of integrable 
functions, the set of LP functions (for any p), the set of measurable locally essentially bounded functions 
[79], or the set of all functions. 


Standard function classes are closed under time shift and subinterval, but not under pasting. A natural 
way of defining a dynamic type is as the pasting closure of a class of functions that is closed under time 
shift and subinterval. In such a case, it follows that the new class is closed under all three operations. 


Example 3.3 (Pasting closure of the continuous functions). Fig. 1 shows an example of an element f in 
a dynamic type based on (more precisely, equal to the pasting closure of) a subclass of the continuous 
functions. Function f is defined on the interval [0, 4) and is obtained by pasting together four pieces. 
At the boundary points between these pieces, f takes the value specified by the leftmost piece, which 
makes f continuous from the left. Note that f is undefined at time 4. 


In practice, most interesting dynamic types are pasting closures of subclasses of the continuous 
functions. Note that functions in such dynamic types are continuous from the left. Elsewhere in the 
literature on hybrid systems (e.g. [37]), functions that are continuous from the right are considered. To 
some extent, the choice of how to define function values at discontinuities is arbitrary. An advantage of 
our choice is a nice correspondence between concatenation and prefix ordering of trajectories and hybrid 
sequences (see Lemmas 3.5 and 3.7). 

In this paper, we will occasionally be slightly sloppy and say that the dynamic type of a variable v is 
the function class F, even though F in not closed under the three required operations. In such a case, 
we mean that the dynamic type of v is the function class that results from closing F under the three 
operations. 
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3.2. Trajectories 


In this subsection, we define the notion of a trajectory, define operations on trajectories, and prove 
simple properties of trajectories and their operations. A trajectory is used to model the evolution of a 
collection of variables over an interval of time. 


3.2.1. Basic definitions 

Let V C V be a set of variables. A valuation v for V is a function that associates with each variable 
v € V a value in type(v). We write val(V) for the set of valuations for V. Let J be a left-closed interval 
of T with left endpoint equal to 0. Then a J-trajectory for V is a function t : J —> val(V), such that for 
each v € V, tu E€ dtype(v). A trajectory for V is a J-trajectory for V, for any J. We write trajs(V) for 
the set of all trajectories for V. 

A trajectory for V with domain [0, 0] is called a point trajectory for V. If v is a valuation for V 
then g (v) denotes the point trajectory for V that maps 0 to v. We say that a J-trajectory is finite if J 
isa ie interval, closed if J is a (finite) closed interval, open if J is a right-open interval, and full if 
7 ee idee 

If t is a trajectory then t./time, the limit time of t, is the supremum of dom(t). Also, we define t.fval, 
the first valuation of t, to be t(0), and if t is closed, we define t.lval, the last valuation of t, to be 
t(t.ltime). For t a trajectory and t € T7°, we define 


t<it2r/[0, t], 
t<at=rt{[0, t), 
t>t£(tl[t, œ))— t. 


Note that, since dynamic types are closed under time shift and subintervals, the result of applying the 
above operations is always a trajectory, except when the result is a function with an empty domain. By 
convention, we also write t<Joo rt and t 400 ÊT. 


3.2.2. Prefix ordering 

Trajectory t is a prefix of trajectory t’, denoted by t < t’, if t can be obtained by restricting t’ 
to a subset of its domain. Formally, if t and t’ are trajectories for V, then t < t’ iff t = t’[dom(t). 
Alternatively, t < t’ iff there exists a t € T>? U {oo} such that t = t’ <t or t = T' <t. If t < T’ then 
clearly dom(t) C dom(t’). If T is a set of trajectories for V, then pref (T) denotes the prefix closure of 
T, defined by 


pref (T) Ê {t € trajs(V) |at! ET: t <T}. 
We say that T is prefix closed if T = pref (T). 
The following lemma gives a simple domain-theoretic characterization of the set of trajectories over 


a given set V of variables: 


Lemma 3.4. Let V be a set of variables. The set trajs(V) of trajectories for V, together with the prefix 
ordering <, is an algebraic cpo. Its compact elements are the closed trajectories. 
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Proof. It is trivial to check that (trajs(V), <) is a partial order. In order to prove that it is a cpo, assume 
that T is a directed subset of trajs(V). We prove that T has a least upper bound. It is routine to check 
that a set of trajectories is directed iff it is totally ordered by prefix. So T is totally ordered. Using 
this, it follows that the trajectories in T are pairwise compatible functions. Therefore, function |] T is 
defined. 

We now prove that J 7 is a trajectory for V. If |) T € T then this is immediate. Otherwise, let 
t € T U {00} be the supremum of the limit times of all trajectories in T. There exists an infinite ascending 
chain fo, t1, t2, ... of limit times of trajectories in T such that t = lim;— o ti and all the ¢;’s are different. 
For each i, let t; be a trajectory in T with t; = 1;./time. Next define, for each i, Ti = Ti+1 I t;. Then, by 
construction, the trajectories 14, T], T}, ... are closed and pairwise compatible, and |]; t; = UT. Let 
Tj» Ti’, T3, .. . be the sequence of functions defined by 

To £ Tos 
qj =t;[[t;_,.ltime,oo) ifi > 0. 

By construction, the t;’’s are closed, pairwise compatible, and |]; t = LU; t/. Using the assumption 
that dynamic types are closed under pasting, it follows that J; t;’ (and hence | T) is a trajectory. 

Now we show that ) T is a lub for T. It follows immediately from the construction of |J T that 
UT is an upper bound for T. Suppose that t’ is also an upper bound for T. We prove that (JT < 1’. 
Since each t € T satisfies dom(t) C dom(t’), also |], ¿r dom(t) © dom(t’). By definition of (JT, 
dom(\(JT) = | <r dom(t). Hence dom(\) T) € dom(t'). Let t be an element of dom(\J T). Then 
t is in the domain of some t € T. Since t is a prefix of both |J T and t’, (UT)(t) = t’(t). Thus, 
t'[dom(\)T) = UT, that is, J T < t’. It follows that trajs(V) is a cpo. 

We leave it to the reader to check that the closed trajectories are the compact elements in this cpo, and 
that the cpo is algebraic. 


3.2.3. Concatenation 

The concatenation of two trajectories is obtained by taking the union of the first trajectory and the 
function obtained by shifting the domain of the second trajectory until the start time agrees with the limit 
time of the first trajectory; the last valuation of the first trajectory, which may not be the same as the first 
valuation of the second trajectory, is the one that appears in the concatenation. Formally, suppose t and 
t’ are trajectories for V, with t closed. Then the concatenation t~t' is the function given by 


tt’ Sr U(t’[(0, œ) + t.ltime). 


Because dynamic types are closed under time shift and pasting, it follows that t^t’ is a trajectory for 
V. Observe that t~t’ is finite (resp., closed, full) if and only if t’ is finite (resp., closed, full). Observe 
also that concatenation is associative. 

The following lemma, which is easy to prove, shows the close connection between concatenation and 
the prefix ordering. 


Lemma 3.5. Let t and v be trajectories for V with t closed. Then 


trļsveJr:v=r rT. 
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Note that if t < v, then the trajectory t’ such that v = t~t’ is unique except that it has an arbi- 
trary value for t’.fval. Note also that the “<=” implication in Lemma 3.5 would not hold if the first 
valuation of the second argument, rather than the last valuation of the first argument, were used in the 
concatenation. 

We extend the definition of concatenation to any (finite or countably infinite) number of arguments. 


Let To, T1, T2, ... be a (finite or infinite) sequence of trajectories such that t; is closed for each nonfinal 
: f ; E , 
index i. Define trajectories Tọ, T], T3, .. . inductively by 
To 4 TO, 
rob 


Tj41=1; ti41 for nonfinal i. 
Lemma 3.5 implies that for each nonfinal i, T? < T] 44 We define the concatenation to” T™~ Tt - - - to be 
the limit of the chain 1), T}, T3, .. .; existence of this limit follows from Lemma 3.4. 


3.3. Hybrid sequences 


In this subsection, we introduce the notion of a hybrid sequence, which is used to model a combination 
of changes that occur instantaneously and changes that occur over intervals of time. Our definition is 
parameterized by a set A of actions, which are used to model instantaneous changes and instantaneous 
synchronizations with the environment, and a set V of variables, which are used to model changes over 
intervals of time and continuous interaction with the environment. We also define some special kinds of 
hybrid sequences and some operations on hybrid sequences, and give basic properties. 


3.3.1. Basic definitions 

Fix a set A of actions and a set V of variables. An (A, V)-sequence is a finite or infinite alternating 
sequence œ = To 41 T1 a2 T2,..., where 
(1) each 7; is a trajectory in trajs(V), 

(2) each a; is an action in A, 

(3) if æ is a finite sequence then it ends with a trajectory, and 
(4) if 7; is not the last trajectory in a then dom(t;) is closed. 
A hybrid sequence is an (A, V)-sequence for some A and V. 

Since the trajectories in a hybrid sequence can be point trajectories, our notion of hybrid sequence 
allows a sequence of discrete actions to occur at the same real time, with corresponding changes of 
variable values. An alternative approach is described in [69], where state changes at a single real time 
are modeled using a notion of “superdense time”. Specifically, hybrid behavior is modeled in [69] using 
functions from an extended time domain, which includes countably many elements for each real time, 
to states. 

If «œ is a hybrid sequence, with notation as above, then we define the limit time of a, a.ltime, to be 
X; t.ltime. A hybrid sequence « is defined to be: 

e time-bounded if a.Itime is finite. 
e admissible if a.ltime = oo. 
e closed if « is a finite sequence and the domain of its final trajectory is a closed interval. 
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e Zeno if a is neither closed nor admissible, that is, if œ is time-bounded and is either an infinite sequence, 
or else a finite sequence ending with a trajectory whose domain is right-open. 


A more standard definition of “Zeno” would be simply “a time-bounded infinite sequence”. We add the 
second option to the definition in order to guarantee a simple property of the hiding/restriction operator, 
see Lemma 4.9(2). Except for Lemma 4.9(2), all results of this paper hold also for the more standard 
definition. We say that a hybrid sequence is “non-Zeno” if it is not Zeno, that is, if it is closed or 
admissible. 

For any hybrid sequence a, we define the first valuation of a, a.fval, to be to.fval. Also, if a is closed, 
we define the last valuation of a, a.lval, to be last(a).Ival, that is, the last valuation in the final trajectory 
of æ. 


3.3.2. Prefix ordering 


We say that (A, V)-sequencea = Tọ a1 T1 ... isaprefixof (A, V)-sequence B = vo by v, ..., denoted 
by a < 8B, provided that (at least) one of the following holds: 
(1) œ =B. 


(2) a isa finite sequence ending in some Tk; T; = vi and aj+1 = bi+1 foreveryi,0 <i < k; and Tk < ug. 
Like the set of trajectories over V, the set of (A, V)-sequences is a cpo: 


Lemma 3.6. Let V be a set of variables and A a set of actions. The set of (A, V)-sequences, to- 
gether with the prefix ordering <, is an algebraic cpo. Its compact elements are the closed (A, V)- 
sequences. 


Proof. We leave to the reader the routine check that < is a partial order. Note that this uses the fact that 
< is a partial order on trajectories (Lemma 3.4). 
In order to prove that we have a cpo, let S be a directed subset of (A, V)-sequences. We prove that 

S has a least upper bound. It is easy to check that S is totally ordered by the prefix ordering <. We 

distinguish two cases. 

(1) There is no finite upper bound on the number of trajectories that occur in the sequences in S. In 
this case, we can construct an infinite sequence ao, a1, a2... of elements of S such that, for each 
i, œ; contains at least i actions and i + 1 trajectories, and œ; < a@j+1. For each i € N, let t; be the 
i + 1-st trajectory (the one indexed by i) in aj+1, and for i > 1, let a; be the i-th action in a;. Let 
a = T0 41 T1 d2 T2.. .. It is easy to verify that œ is an upper bound of the set {œ; | i € N} and in fact, 
is the only upper bound of this set. It follows that œ is the lub of S, as needed. 

(2) There is a finite upper bound k on the number of trajectories that occur in the (A, V)-sequences in S. 
In this case, let S’ be the set obtained by removing all sequences with fewer than k trajectories from 
S. Since S’ is totally ordered, init(a) = init(a') for any a, a’ € S’. (Recall that init is an ordinary 
sequence operation—it yields all but the last element of the sequence.) Choose any œ € S’ and let 
o = init(a). Let T be the set of final trajectories of sequences in S’. Again using the fact that S” is 
totally ordered, we obtain that T is totally ordered by the prefix ordering on trajectories. Let t be the 
least upper bound of T (this upper bound exists by Lemma 3.4). It is routine to check that o t is a 
least upper bound of S”, and thus of S. 

We leave it to the reader to check that the closed (A, V)-sequences are the compact elements in this cpo, 

and that the cpo is algebraic. 
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3.3.3. Concatenation 
Suppose « and a’ are (A, V)-sequences with a closed. Then the concatenation a~«a' is the (A, V)- 
sequence given by 


a~ a’ £ init(a) (last(a)~ head(a’)) tail(a’). 
(Here, init, last, head and tail are ordinary sequence operations.) 
Lemma 3.7. Let a and B be (A, V)-sequences with a closed. Then 
a < B e Ja’: B =a. 


Note that if œ < £, then the (A, V)-sequence a’ such that 8 = a~a’ is unique except that it has an 
arbitrary value in val(V) for a’ fval. 
As we did for trajectories, we extend the concatenation definition for (A, V)-sequences to any finite 


or infinite number of arguments. Let ao, a1, ... be a finite or infinite sequence of (A, V)-sequences such 
that œ; is closed for each nonfinal index i. Define (A, V)-sequences aj, a, .. . inductively by 
a = ao, 


I korn : 
Œi =; Oj4+1 for nonfinal i. 


Lemma 3.7 implies that for each nonfinal i, a; < CA ,- We define the concatenation ag” a - +: to be the 
limit of the chain a; a, ...5 existence of this limit is ensured by Lemma 3.6. 


3.3.4. Restriction 

Let A and A’ be sets of actions and let V and V’ be sets of variables. The (A’, V’)-restriction 
of an (A, V)-sequence a, denoted by a[(A’, V’), is obtained by first projecting all trajectories of a 
on the variables in V’, then removing the actions not in A’, and finally concatenating all adjacent 
trajectories. Formally, we define the (A’, V’)-restriction first for closed (A, V)-sequences and then 
extend the definition to arbitrary (A, V)-sequences using a limit construction. The definition for closed 
(A, V)-sequences is by induction on the length of those sequences: 


t[(A’,V')=t Vif t is asingle trajectory, 
pun f@lA,VaClv’) ifae dA’, 

Pe NN) Noe V’))~ (tL V’) otherwise. 

Note that in the case where, due to removal of some action, we concatenate two adjacent trajectories, we 

lose the first state of the second trajectory (by letting the last state of the first trajectory dominate). It is 

easy to see that the restriction operator is monotone on the set of closed (A, V)-sequences. Hence, if we 

apply this operation to a directed set, the result is again a directed set. Together with Lemma 3.6, this 

allows us to extend the definition of restriction to arbitrary (A, V)-sequences by: 


a[(A’, V^) =L{B[(A’, V^ |£ is a closed prefix of a}. 


Lemma 3.8. (A’, V’)-restriction is a continuous operation. 
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Proof. This follows by general domain-theoretic arguments. For convenience, in this proof we write 

f (a) as an abbreviation for a[(A’, V’). 

First we establish that (A’, V’)-restriction is monotone for arbitrary (A, V)-sequences. Let a, a’ 
be (A, V)-sequences with œ < a’; we show that f(a) < f(a’). Let P and P’ denote the set of 
closed prefixes of œ and a’, respectively. By transitivity of the prefix ordering, it follows that P’ 
dominates P, that is, PC P’. Since the restriction operation is monotone on closed (A, V)- 
sequences, it follows that f(P) E f(P’). Then Lemma 2.1 implies that Uf(P) <Uf(P’). By the 
definition of the restriction operation, this implies that f(œ) < f(a’), which shows monoto- 
nicity. 

Now we complete the proof that (A, V)-restriction is continuous by assuming that P is any di- 
rected set of (A, V)-sequences and showing that f (UP) = uf (P). By the definition of the restriction 
operation, f (UP) = U{f(B) |£ is a closed prefix of u P}. By Lemma 3.6 and the definition of com- 
pact elements, any closed prefix 6 of UP is also a prefix of some œ € P. Therefore, f(IP) = 
Li{ f(B) | B is closed and da € P : £ isa prefix of a}. 

Now we apply Lemma 2.2 to the right-hand side of this last equation. To do this, we must show: 

(1) O={f(B)|B is closed and Ja € P : Bisa prefix of a} is a directed set. To see this, consider any 
nonempty finite subset R C Q. Each element of R is a prefix of some a € P. Therefore, since 
P is a directed set, there is some single a’ € P such that each element of R is a prefix of 
a’. Therefore, R is a directed set; since R is finite, it has a lub in R, and hence in Q, as 
needed. 

(2) For each œ € P, {f(6) | £ is closed and £ is a prefix of æ} is a directed set with lub f (œ). The first 
part follows because the set of closed prefixes of a is a directed set and f is monotone. The second 
part follows from the definition of restriction. 

(3) The set f(P) is directed. This follows because P is a directed set and f is monotone. 

Then Lemma 2.2 implies that 


U{ f(B) |£ is closed and da € P : $ is a prefix of a} 
=U{f(a)|a¢ P}=uf(P). 


Thus, f (UP) = uf (P), as needed. 


The proofs of the following three lemmas are left to the reader. 


Lemma 3.9. (ap a1~---)[(A, V) = aol (A, V)~ ay [ (A, V)~---. 


Lemma 3.10. (a@[(A, V))[(A", V) =a[(AN A’, VAV’). 


Lemma 3.11. 

(1) « is time-bounded if and only if a| (A, V) is time-bounded. 
(2) « is admissible if and only ifa | (A, V) is admissible. 

(3) Ifa is closed then a[(A, V) is closed. 

(4) Ifa is non-Zeno then a[(A, V) is non-Zeno. 
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4. Hybrid automata 


In this section, as a preliminary step toward defining hybrid I/O automata, we define a slightly more 
general hybrid automaton model. In hybrid automata, actions and variables are classified as external 
or internal. External actions and variables are not further classified as input or output; the input/output 
distinction is added later in Section 6. We define how hybrid automata execute and define implementation 
and simulation relations between hybrid automata. 


4.1. Definition of hybrid automata 


A hybrid automaton is a state machine whose states are valuations of variables, and that uses other 
variables for communication with its environment. It also has a set of actions, some of which may 
be internal and some external. The state of a hybrid automaton may change in two ways: by discrete 
transitions, which change the state atomically and instantaneously, and by trajectories, which describe 
the evolution of the state over intervals of time. The discrete transitions are labeled with actions; this 
will allow us to synchronize the transitions of different hybrid automata when we compose them in 
parallel. The evolution described by a trajectory may be described by continuous or discontinuous 
functions. 


Definition 4.1. A hybrid automaton (HA) A = (W, X, Q, ©, E, H, D, T) consists of: 

e A set W of external variables and a set X of internal variables, disjoint from each other. We write 
VEWwuX. 

e Aset Q C val(X) of states. 

e A nonempty set © C Q of start states. 

e A set E of external actions and a set H of internal actions, disjoint from each other. We write 
ASEUH. 

e A set DC Q x Ax Q of discrete transitions. We use x—> 4x’ as shorthand for (x, a,x’) € D. We 
sometimes drop the subscript and write x5 x’, when we think A should be clear from the context. We 


say that a is enabled in x if there exists an x’ such that xx’. 

e Aset TJ of trajectories for V such that t (t)[X € Q for every t € T andt € dom(t). Given a trajectory 
t € T we denote t.fval[X by t.fstate and, if t is closed, we denote t./val[X by t.lstate. We require 
that the following axioms hold: 

T1 (Prefix closure) 
For every t € T and every t’ < t,t’ € T. 
T2 (Suffix closure) 
For every t € J and every t € dom(t), t>teT. 
T3 (Concatenation closure) 
Let To, T1, T2,... be a sequence of trajectories in 7 such that, for each nonfinal index i, t; is 
closed and 1; ./state = 1;41.fstate. Then t9~t;~12--- ET. 


Axioms T1-T3 express some natural conditions on the set of trajectories that we need to construct our 
theory. A key part of this theory is a parallel composition operation for hybrid automata. In a composed 
system, any trajectory of any component automaton may be interrupted at any time by a discrete transition 
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of another (possibly independent) component automaton. Axiom T1 ensures that the part of the trajectory 
up to the discrete transition is a trajectory, and axiom T2 ensures that the remainder is a trajectory. Axiom 
T3 is required because the environment of a hybrid automaton, as a result of its own internal discrete 
transitions, may change its continuous dynamics repeatedly, and the automaton must be able to follow 
this behavior. 

The earlier definition of hybrid automata in [53,54] used a special stuttering action e instead of 
axiom T3. Another key difference between the new definition of hybrid automaton and the earlier 
one is that in [53,54], the external variables were considered to be part of the state. This meant, 
for example, that discrete transitions could depend on the values of these variables, a situation that 
introduced technical complications. A local transition of one automaton could change an output var- 
iable, which could cause a discrete change in a second automaton, which in turn could change an 
input variable in the first automaton. To avoid cyclic constraints during the interaction of systems, 
we had to add several axioms, which complicated the use of our automaton definitions in applica- 
tions. 

In the new definition, we explicitly identify the set Q of states as a subset of val(X). In the earlier 
definition of [53,54] any valuation in val(X) was called a state. The reason for introducing Q is that in 
Section 6, we will require that in each state each input trajectory is accepted. In actual system descriptions, 
we often encounter valuations which are not reachable from the initial state, which in fact we do not 
want to view as states, and from which no behavior is enabled.* By excluding these “ghost” valuations 
from Q, we save ourselves the trouble of having to think about them. 

Hybrid automata that have no external variables are very similar to the timed automata defined in 
[60,74]. The main difference is that hybrid automata have trajectories as a primitive rather than a derived 
notion. Also, the state of a timed automaton need not be organized using variables with particular types 
and dynamic types. 


Notation. We often denote the components of an HA A by Wy, X4, Qu, Oa, Ea, etc., and the 
components of an HA A; by W;, Xi, Qi ©;, Ei, etc. We sometimes omit these subscripts, where no 
confusion seems likely. 


Notation. In examples we typically specify sets of trajectories using differential and algebraic equations 
and inclusions. Below we explain a few notational conventions that help us in doing this. Suppose the 
time domain T is R, T is a (fixed) trajectory over some set of variables V, and v € V. With some abuse of 
notation, we use the variable name v to denote the function t |v in dom(t) — type(v), which gives the 
value of v at all times during trajectory t. Similarly, we view any expression e containing variables from 
V as a function with domain dom(t). Using these conventions we can say, for example, that t satisfies 
the algebraic equation 


v=e, 


which means that, for every t € dom(t), v(t) = e(t), that is, the constraint on the variables expressed 
by equation v = e holds for each state on trajectory t. Suppose that v is a variable and e is a real-valued 
expression containing variables from V. Suppose also that e, when viewed as a function, is integrable. 
Then we say that t satisfies 


v=e 


4 Typical examples are the valuations that do not satisfy the “location invariants” of Alur-Dill style timed automata [2]. 
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Vehicle 


vel-out 


Fig. 2. The hybrid automaton Vehicle. 


if, for every t € dom(t), v(t) = v(0) + f e(t’) dt’. Note that this interpretation of the differential equa- 
tion makes sense even at points where v is not differentiable. A similar interpretation of differential 
equations is used by Polderman and Willems [71], who call these “weak solutions”. 

In the remainder of this section, we give two simple examples of hybrid automata. 


Example 4.2 (Vehicle HA). We describe an HA Vehicle, displayed’ in Fig. 2, which models a vehicle 
that follows a suggested acceleration approximately, to within an error of € > 0. 

The time domain T is R. The state of the Vehicle automaton includes two real-valued internal variables 
vel and acc, which represent the actual velocity and acceleration of the vehicle, respectively. In addition, 
the automaton has two real-valued external variables, vel-out and acc-in, representing reported velocity 
and suggested acceleration. The dynamic type of the variables vel, vel-out, and acc-in is the (pasting 
closure of the) set of continuous functions. The dynamic type of acc is the set of integrable functions. 

Vehicle is defined to be the HA such that W = {acc-in, vel-out}, X = {vel, acc}, Q is the set of all 
valuations of the variables vel and acc, and © consists of the single valuation that assigns 0 to both state 
variables. The set of actions is empty, and (therefore) D, the set of discrete transitions, is empty. Set 7 
consists of all trajectories that satisfy: 


vel = acc (d) 
acc(t) € [acc-in(t) — €, acc-in(t)+ €] fort > 0, (2) 
vel-out = vel (3) 


Eq. (1) says that the velocity is obtained by integrating the acceleration. Inclusion (2) asserts that, except 
possibly for the left endpoint, the actual acceleration is within € of the suggested acceleration. Eq. (3) 
says that the velocity is reported accurately. We leave the reader to show that the trajectory axioms 
T1-T3 are satisfied; the form of the equations and inclusions used to define the trajectories should make 
this clear. We restrict to the case t > 0 in Eq. (2) because we do not want to constrain either the input or 
the starting state of trajectories. The reason for this restriction is technical (it ensures that Vehicle can be 
viewed as a proper HIOA that satisfies the input trajectory enabling property) and should become clearer 
in Section 6. 


5 We use an arrow notation because later on in this paper in Section 6, we will view acc-in as an input variable and vel-out 
as an output variable. Within the context of the present chapter the arrow notation has no meaning. 
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Controller 


| vel-sensed : 


acc-suggested 


Fig. 3. The hybrid automaton Controller. 


Example 4.3 (Controller HA). Now we describe an HA Controller, displayed in Fig. 3, which models 
a controller that suggests accelerations for a vehicle, with the intention of ensuring that the vehicle’s 
velocity does not exceed a pre-specified velocity vmax. The controller monitors the vehicle’s velocity, 
and every time d, for some fixed d > 0, it produces a new suggested acceleration to be followed for the 
next time d. The acceleration is chosen in such a way that, if it is followed to within an error of e, the 
velocity will remain below vmax (provided the vehicle is not going too fast in the first place). We assume 
that vmax > € d. 

The components of the Controller HA are as follows: W = {vel-out, acc-in} and X = {vel-sensed, 
acc-suggested, clock}. All variables are of type R. The dynamic types of vel-out, vel-sensed, acc-in, and 
clock are the (pasting closure of the) set of continuous functions, and acc-suggested is a discrete variable. 
Q is the set of valuations of X in which clock < d. © consists of one valuation, which assigns O to 
all state variables. E = Ø and H contains the single action suggest. Set D consists of the suggest steps 
specified by:° 


clock = d (4) 
vel-sensed + (acc-suggested’ + €)d < vmax (5) 
clock’ = 0 (6) 
vel-sensed' = vel-sensed (7) 


Eq. (4) says that the clock indicates that it is time for the suggested acceleration to be computed. Inequality 
(5) says that the new suggested acceleration is chosen so that, if the vehicle follows it for the next time 
d, even with an error of €, the velocity will still remain at most vmax. Equation (6) says that the clock 
is reset after the discrete transition. Equation (7) says that the transition does not change the value of 
vel-sensed. Set T consists of all trajectories that satisfy: 


acc—suggested = 0 (8) 


clock = 1 (9) 


6 Here we use the standard convention that v denotes the value of a variable in the start state of a discrete transition, and v’ 
denotes the value in the end state. 
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vel-sensed(t) = vel-out(t) fort > 0 (10) 


acc—in = acc-suggested. (11) 


Since acc-suggested is a discrete variable, the reader might think that adding constraint (8) makes 
no difference. However, if we expand this constraint using our definition of solutions for differential 
equations, we obtain 

t 


acc-suggested(t) = acc-suggested(0) + | 0 dt’ = acc-suggested(0), 
0 


which means that acc-suggested remains constant throughout the full trajectory. So the effect of adding 
differential equation (8) is that it rules out the jumps that are allowed by the dynamic type of acc-suggested. 
Eq. (9) states that clock has rate 1, and is therefore a clock variable in the sense of the timed automaton 
model of [5]. 
Eq. (10) says that the velocity sensed by the controller is the same as the velocity reported to the controller 
by its environment. Eq. (11) asserts that the acceleration that the controller provides to its environment 
is the same as the acceleration that it has most recently computed. Again, we leave the reader to show 
that the trajectory axioms T1-T3 are satisfied. 


4.2. Executions and traces 


We now define execution fragments, executions, trace fragments, and traces, which are used to 
describe automaton behavior. An execution fragment of a hybrid automaton A is an (A, V)-sequence 
ad = T0 41 T a2 T..., Where (1) each 7; is a trajectory in 7, and (2) if t; is not the last trajectory in 
a then 7; state! Tj+1 state. An execution fragment records what happens during a particular run of a 
system, including all the instantaneous, discrete state changes and all the changes to the state and external 
variables that occur while time advances. We write frags , for the set of all execution fragments of A. 

If a is an execution fragment, with notation as above, then we define the first state of a, a.fstate, to be 
To fstate. We say that a is an execution fragment from a state x if a,fstate = x. An execution fragment a 
is defined to be an execution if a,fstate is a start state, that is, a.fstate € ©. We write execs 4 for the set 
of all executions of A. If œ is a closed (A, V)-sequence then we define the last state of a, a.lstate, to be 
last(a).lstate. A state of A is reachable if it is the last state of some closed execution of A. 


Example 4.4 (Vehicle execution). Since the Vehicle HA of Example 4.2 has no discrete steps, each of its 
executions is a one-element sequence consisting of a single trajectory over all the variables of Vehicle. 
An example of such an execution, depicted graphically in Fig. 4, is the one consisting of the trajectory t 
with t./time = oo, and such that: 


0 ift<1, 
acc-in(t) = 42 ifl<t <3, 
0 ift>3. 
€ ift <1, 


acc(t)=42+e ifl<t<3, 
0 ift > 3. 
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= acc 


——= = vel = vel-out 


Fig. 4. An execution of the Vehicle (lower two lines after 3 are supposed to coincide). 


et ift <1, 
vel(t) = vel-out(t) = $ (2 +€) —2 ifl<t <3, 
4+ 3¢ ift > 3. 


Any finite prefix of t would also yield an execution of Vehicle. The trace of t is the one-element sequence 
obtained by projecting t on {acc-in, vel-out}. 


Example 4.5 (Controller execution). In the Controller HA of Example 4.3, suppose d = 1, so the 

suggested acceleration is recalculated at times 1, 2, etc. Also suppose that vmax > 4+ 4e. Then an 

example execution of Controller is the infinite sequence a = To suggest Tı suggest T2..., where, for 

every i and for every t € dom(t;) 

(1) t;.ltime = 1. 

(2) t;(t)(clock) = t. 

(3) If i =0 then 7; (t)(v) is equal to 0 for v € {acc-suggested, acc-in} and et for v € {vel-out, vel-sensed}. 

(4) If 1 <i < 2 then 7;(¢)(v) is equal to 2 for v € {acc-suggested, acc-in} and (2+ €)(i + t) — 2 for 
v E€ {vel-out, vel-sensed}. 

(5) If i > 3 then 1;(t)(v) is equal to 0 for v € {acc-suggested, acc-in} and 4 + 3e for v € {vel-out, vel- 
sensed}. 


N. Lynch et al. / Information and Computation 185 (2003) 105-157 127 


The assumed bound on vmax implies that the suggested accelerations in this execution are actually 
possible suggestions according to the rule given in the Controller automaton definition. The trace of 
execution œ consists of a single trajectory because Controller has no external actions. This trajectory is 
defined by: 


0 iff<1, 
acc-in(t) = {2 ifl<t <3, 
0 ift>3. 
et ift <1, 
vel-out(t)=4(2+e6)t-2 ifl<t<3, 
4+ 3e ift > 3. 


Like trajectories also execution fragments are closed under countable concatenation. 


Lemma 4.6. Let ao, &œ1,... be a finite or infinite sequence of execution fragments of A such that, 
for each nonfinal index i, a; is closed and a;.lstate = aj+1.fstate. Then ag” a, --- is an execution 
fragment of A. 


Proof. Follows easily from the definitions, using axiom T3. 


Lemma 4.7. Let a and B be execution fragments of A with a closed. Then 
a< Boda’ e fragsy:B=a a’. 


Proof. Implication “=” follows directly from the corresponding implication in Lemma 3.7. Implication 


“=>” follows from the definitions and T2. C 


The external behavior of a hybrid automaton is captured by the set of “traces” of its execution 
fragments, which record external actions and the trajectories that describe the evolution of external 
variables. Formally, if œ is an execution fragment, then the trace of a, denoted by trace(qa), is the 
(E, W)-restriction of a. (Recall that E denotes the external actions and W the external variables.) A 
trace fragment of a hybrid automaton A from a state x of A is the trace of an execution fragment of A 
from x. We write tracefrags 4 (x) for the set of trace fragments of A from x. Also, we define a trace of A 
to be a trace fragment from a start state, that is, the trace of an execution of A, and write traces 4 for the 
set of traces of A. 

The following lemma follows trivially from Lemma 3.11: 


Lemma 4.8. Ifa is an execution fragment of A then 

(1) a@ is time-bounded if and only if trace(a) is time-bounded. 
(2) a is admissible if and only if trace(a) is admissible. 

(3) If a is closed then trace(a) is closed. 

(4) If a is non-Zeno then trace(a) is non-Zeno. 


In parts (3) and (4) of the above lemma, the converse implications do not hold. Counterexamples 
can be obtained by taking an execution fragment œ that ends with an infinite sequence of internal 
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actions without any delay in between. However, a slight weakening of the converse implications does 
hold: 


Lemma 4.9. Jf 6 is a trace fragment of A from state x then 


(1) If B is closed then there exists an execution fragment a of A from x such that trace(a) = B and a is 
closed. 

(2) If B is non-Zeno then there exists an execution fragment a of A from x such that trace(a) = B and 
œ is non-Zeno. 


If the definition of non-Zeno was broadened to include the case of a right-open final trajectory, then part 
2 of the above lemma can fail. It might be that the only execution that leads to such a trace is a Zeno 
execution, one with infinitely many internal events, and delays which get smaller and smaller. 

The next definition defines an implementation relation between hybrid automata in terms of inclusion 
of traces: a low-level specification A implements a high-level specification $ if any behavior (trace) 
of A is also an allowed behavior of B. Without additional assumptions, our implementation relation 
only preserves safety properties. However, in Section 7 we will see that if the low-level specification 
automaton is required to be receptive, our implementation relation also preserves bounded liveness 
properties. 


Definition 4.10. Hybrid automata A; and Az are comparable if they have the same external interface, 
that is, if W = W2 and E; = E>. If A; and A are comparable then we say that A; implements 
Az, denoted by A; < Ahn, if the traces of A; are included among those of A2, that is, if traces, © 
traces 4,.! 


4.3. Simulation relations 


In this subsection, we define simulation relations between hybrid automata. Simulation relations may 
be used to show that one HA implements another, in the sense of inclusion of sets of traces. 
Let A and B be comparable HAs. A simulation from A to B is a relation R C Q4 x Qg satisfying 
the following conditions, for all states x4 and xg of A and B, respectively: 
(1) If x, € ©, then there exists a state xg € Og such that x4 R xg. 
(2) If x4 R xg and g is an execution fragment of A consisting of one action surrounded by two point 
trajectories, with a,fstate = x4, then B has a closed execution fragment f with f.fstate = xp, 
trace(B) = trace(a), and a.lstate RP .lstate. 


7 In [27,53,54,60], definitions of the set of traces of an automaton and of one automaton implementing another are based 
on closed and admissible executions only. The results we obtain in this paper using the newer, more inclusive definition imply 
corresponding results for the earlier definition. For example, we have the following property: If A, < Ao then the set of traces 
that arise from closed or admissible executions of A, is a subset of the set of traces that arise from closed or admissible 
executions of Ap. 
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(3) Ifx4Rxg and g is an execution fragment of A consisting of a single closed trajectory, with a fstate = 
x 4, then 5 has a closed execution fragment 6 with f .fstate = xp, trace(B) = trace(a), anda.lstateR 
B.Istate. 


The definition of a simulation from A to 5 yields a correspondence for open trajectories: 


Lemma 4.11. Let A and B be comparable HAs and let R be a simulation from A to B. Let x4 and xg 
be states of A and B, respectively, such that x4 Rxg. Let a be an execution fragment of A from state 
x4 consisting of a single open trajectory. Then B has an execution fragment B with B.fstate = xg and 
trace(B) = trace(a). 


Proof. Let t be the single open trajectory in a. Using axioms T1 and T2, we construct an infinite 
sequence To, T1, ... of closed trajectories of A such that t = t9~t;~---. Then, working inductive- 
ly, we construct a sequence fo, 61,... of closed execution fragments of 6 such that 6o.fstate = 
xg and, for each i, t;.lstate R B;.lstate, B;.lstate = B;+,.fstate, and trace(t;) = trace(B;). This con- 
struction uses induction on i, using Property 3 of the definition of a simulation relation in the 
induction step. Now let 6 = bo^ 61~---. By Lemma 4.6, 6 is an execution fragment of B. Clearly, 
B fstate = xg. By Lemma 3.9 applied to both œ and £, trace(B) = trace(a). Thus $ has the required 
properties. 


Theorem 4.12. Let A and B be comparable HAs and let R be a simulation from A to B. Let x4 and 
xg be states of A and B, respectively, such that x4 R xg. Then tracefrags (X4) © tracefragsB(xg). 


Proof. Suppose that ô is the trace of an execution fragment of A that starts from x4; we prove that ô is 
also a trace of an execution fragment of B that starts from xg. Let a = Tọ aj T1 a2 T2... be an execution 
fragment of A such that a.fstate = x4 and ô = trace(a). We consider cases: 

(1) @ is an infinite sequence. 

Using axioms T1 and T2, we can write œ as an infinite concatenation ag” a,~ a2 ---, in which 
the execution fragments œ; with i even consist of a trajectory only, and the execution fragments a; 
with į odd consist of a single discrete step surrounded by two point trajectories. 

We define inductively a sequence fo, £1, . . . of closed execution fragments of B, such that fo .fstate 
= xg and, for all i, 6;.lstate = Bi+1.fstate, a;.lstate R B;.lstate, and trace(f;) = trace(a;). We 
use Property 3 of the definition of a simulation relation for the construction of the ;’s with 
i even, and Property 2 for the construction of the £;’s with i odd. Let B = Bo” B,~ f2---. By 
Lemma 4.6, $ is an execution fragment of B. Clearly, 6,fstate = xg. By Lemma 3.9, trace(B) = 
trace(a). Thus $ has the required properties. 

(2) « is a finite sequence ending with a closed trajectory. 
Similar to the first case. 
(3) q@ is a finite sequence ending with an open trajectory. 
Similar to the first case, using Lemma 4.11. 


Corollary 4.13. Let A and B be comparable HAs and let R be a simulation from A to B. Then 
traces, © tracesg. 
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Proof. Suppose $ € traces4. Then B € tracefrags (XA) for some start state x4 of A. Property 1 of 
the definition of simulation relation implies the existence of a start state xg of B such that x4 R xg. 
Then Theorem 4.12 implies that 6 € tracefragsz (xg). Since xg is a start state of B, this implies that 
B € tracesp, as needed. 


Example 4.14 (Vehicle implementation). Now denote the Vehicle HA of Example 4.2 by Vehicle(e), 
making the uncertainty parameter explicit. Assume that 0 < €; < €2. Let A = Vehicle(e,) and B = 
Vehicle(€2). We claim that A < B. We can show this by demonstrating that the identity mapping is a 
simulation relation from A to B. Since these HAs have no discrete steps, we need only show Properties 
1 and 3 of the definition of simulation relation. Property 1 is obvious because the two HAs have the 
same (unique) start state, which assigns 0 to both state variables. For Property 3, assume that x4 R xg 
and @ consists of a closed trajectory t of A with a.fstate = x4. Let B = a. Clearly, £ is a closed hybrid 
sequence, 6.fstate = xp, trace(B) = trace(a), and a.l/state R B.lstate. It remains to show that 6 is an 
execution fragment of B, that is, that t is a trajectory of B. This follows immediately from the definition 
of trajectories for Vehicle(€,) and Vehicle(€2); the only interesting point is that, for every t € dom(rt), 
t > 0, we have: [acc-in(t) — €1, acc-in(t) + €1] © [acc-in(t) — €, acc-in(t) + €2]. 


Example 4.15 (Controller implementation). Denote the Controller HA of Example 4.3 by Controller 
(vmax), making the maximum velocity parameter explicit. Assume that 0 < vmax; < vmax2. We claim 
that Controller(vmax,) < Controller(vmax2); again, we show this by demonstrating that the identity 
mapping is a simulation relation. This requires showing all three properties of the definition of simulation 
relation. Properties 1 and 3 are immediate, because vmax does not appear in the definitions of the start 
states and the trajectories. For Property 2, the key is that, if vel-sensed + (acc-suggested' + €)d < vmaxı, 
then also vel-sensed + (acc-suggested)’ + €)d < vmax. 


5. Operations on hybrid automata 


In this section, we present two kinds of operations on hybrid automata: parallel composition and hiding. 


5.1. Composition 


We now introduce the operation of parallel composition for hybrid automata, which allows an autom- 
aton representing a complex system to be constructed by composing automata representing individual 
system components. Our composition operation identifies external actions with the same name in different 
component automata, and likewise for external variables. When any component automaton performs a 
discrete step involving an action a, so do all component automata that have a in their signatures. 
Likewise, when any component automaton performs a trajectory involving a particular evolution of 
values for an external variable v, then so do all component automata that have v in their signatures. We 
prove several results that say that the composition operation respects our notions of external behavior 
and implementation. 

We define composition as a partial, binary operation on hybrid automata. Since internal actions of an 
automaton A, are intended to be unobservable by any other automaton A2, we allow A, to be composed 
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with Az only if the internal actions of A; are disjoint from the actions of A2. Similarly, we require 
disjointness of the internal variables of A, and the variables of A2. 


Definition 5.1. We say that hybrid automata A; and Az are compatible if Hı ÑO A2 = Hy N A, = Ø and 
X1 O V2 = X2 N Vı = Ø. If A; and Az are compatible then their composition A1 || A2 is defined to be 
the structure A = (W, X, Q, ©, E, H, D, T) where 

e W = Wı U Wn and X = X1 U X2. 

Q = {x € val(X) |x[ X1 € Qi Ax[X2 € Q2}. 

© = {x € O|x[X, € O1 Ax[ X? € Od}. 

E = E; U Ez and H = H; U Ao. 

For each x, x’ € Q and eacha € A,x 5 4x’ iff fori = 1, 2, either (1)a € A; and x[X; >; x'[X;, or 
(2)a ¢ A; and x[X; = x'[X;i. 

e T C trajs(V) is given by TE TStlLV, € J AtLV2 € To. 

Whenever we write A1 || A2, we implicitly assume that A; and A2 are compatible. 


Theorem 5.2. If A, and A are hybrid automata then A, || A is a hybrid automaton. 


Proof. Let A denote A;||A2 as above. We show that A satisfies the properties of a hybrid automaton 
(cf. Section 4.1). Disjointness of W and X follows from disjointness of W; and Xj, disjointness of W2 
and X2, and compatibility. Similarly, disjointness of E and H follows from disjointness of E; and H4, 
disjointness of E2 and H2, and compatibility. Nonemptiness of © follows from nonemptiness of ©; and 
© and disjointness of X; and X2. We verify the T properties: 

T1 Lett € 7, let t’ be a trajectory such that t’ < t, and leti € {1, 2}. By the definition of composition, 
t} V; € Ti. By the definition of prefix, t’) V; < t)V;. By T1 applied to A;, t’| V; € Ti. Then by 
definition of composition, t’ € T, as needed. 

T2 Lett € T,t € dom(t),t' = t © t,andi € {1, 2}. By the definition of composition, t | V; € Ti. Then 
by T2 applied to A;, (t4 Vi) © t € Ti. Observe that (t } V;) © t = t'} Vj; therefore, t’| V; € Ti. Then 
by the definition of composition, t’ € T, as needed. 

T3 Let 1, T1, T2,... be a sequence of trajectories in Z such that, for each nonfinal index j, tj is 
closed and t;./state = t;+1.fstate. Let t denote toC t1 TT- - -, and let i € {1, 2}. By the definition 
of composition, operation, for each index j, t; V; € Ti, and for each nonfinal index j, tj Vi is 
closed and (t; 4 V;)./state = (tj+11V;).fstate. By T3 applied to A;, to} Vi 11) Vi t2 Vi -- € Ti. 
Observe that t} V; = to Vi 111 Vi~ to) Vi ---; therefore, t} V; € Ti. Then by the definition of 
composition, T € 7, as needed. 


The following “projection lemma” says that executions of a composition of HAs project to give executions 
of the component automata. Moreover, certain properties of the executions of the composition imply, or 
are implied by, similar properties for the component executions. 


Lemma 5.3. Let A = A,||A2 and let a be an execution fragment of A. Then a [ (A1, Vi) and a[(A2, V2) 
are execution fragments of A, and A2, respectively. Furthermore, 


132 N. Lynch et al. / Information and Computation 185 (2003) 105-157 


(1) « is time-bounded iff both a| (A1, V1) and a[(A2, V2) are time-bounded. 
(2) a is admissible iff both a [ (A1, V1) and a[(A2, V2) are admissible. 

(3) « is closed iff both a [ (A1, V1) and a [| (A2, V2) are closed. 

(4) « is Zeno iff at least one of a| (A1, Vi) and a[(A2, V2) is Zeno. 

(5) « is an execution iff both a [ (A1, V1) and a|(A2, V2) are executions. 


Proof. Simple application of the definitions. 


Example 5.4 (Composition and Zeno executions). Consider a composition A = A;||Az2 in which the 
two components have no actions or variables in common. We describe a Zeno execution fragment œ of 
A in which only one of the projected execution fragments is Zeno. Namely, let a = Tọ aj T1 a2 T2.. ., 
where 10./time = 1 and for all i > 1, t; is a point trajectory. Also, all the a;’s are actions of A, but 
not of A2. Then a[(A1, Vi), which includes all the a;’s, is a Zeno execution fragment, whereas 
a[{(A2, V2), which consists of the single right-closed trajectory to) V2, is a closed execution frag- 
ment. 


Example 5.5 (Execution of vehicle and controller). Consider the Vehicle and Controller automata of 

Examples 4.2 and 4.3 (for the same €). These two HAs are compatible. Their composition is displayed in 

Fig. 5. An example execution of the composition is the infinite sequence a = To suggest T suggest T2..., 

where, for every i and for every t € dom(z;): 

(1) t;.ltime = 1. 

(2) t;(t)(clock) = t. 

(3) If i = 0 then 7;(¢)(v) is equal to O for v € {acc-suggested, acc-in}, € for v = acc, and et for v € 
{vel, vel-out, vel-sensed}. 

(4) If 1 <i <2 then 7;(¢)(v) is equal to 2 for v € {acc-suggested, acc-in}, 2+ € for v = acc, and 
(2+¢€)G@+1t) —2 for v e {vel, vel-out, vel-sensed}. 

(5) If i > 3 then 1;(t)(v) is equal to O for v € {acc-suggested, acc-in, acc} and 4 + 3e for v € {vel, 
vel-out, vel-sensed}. 

This execution is admissible. Its projections on the Vehicle and Controller automata are given by the 

admissible executions in Examples 4.4 and 4.5, respectively. 


Controller 


: vel-sensed ' 


acc-suggested: vel-out 


Fig. 5. Composition of hybrid automata Vehicle and Controller. 


N. Lynch et al. / Information and Computation 185 (2003) 105-157 133 


The following lemma says that we obtain the same result for an execution fragment a of a composition 
if we first extract the trace and then restrict to one of the components, or if we first restrict to the component 
and then take the trace. 


Lemma 5.6. Let A = Ai || A2, and let a be an execution fragment of A. Then, for i = 1,2, trace(a) 
[(E;, Wi) = trace(a[ (Aj, Vi)). 


Proof. Recall that trace(a) = a[(E, W). The result follows straightforwardly by Lemma 3.10 and the 
observation that W N W; = W; = V; A W; and E N E; = E; = A; N0 Ei. 


The following fundamental theorem relates the set of traces of a composed automaton to the sets of 
traces of the component automata. It is expressed in terms of equality between two sets of traces. Set 
inclusion in one direction expresses the idea that a trace of a composition “projects” to yield traces of 
the components. Set inclusion in the other direction expresses the idea that traces of components can be 
“pasted together” to yield a trace of the composition. 


Theorem 5.7. Let A = Ai || A2. Then traces, is exactly the set of (E, W)-sequences whose restrictions 
to A, and Az are traces of A, and A», respectively. That is, 


traces, = {f | B is (E, W)-sequence and B[(E;, Wi) € traces, i = 1, 2}. 


Proof. For one direction, suppose that £ is a trace of A. Then by definition, 6 is an (E, W)-sequence. 
Let œ be an execution of A such that £ = trace(a). Let i € {1,2}. Then Lemma 5.6 implies that 
BT (Ei, Wi) = trace(a [ (Ai, V;)). Since, by Lemma 5.3, a[(A;, Vi) is an execution of A;, B[(E;, Wi) is 
a trace of Aj. 

Conversely, let 6 be an (E, W)-sequence such that B[(E;, W;) is a trace of A;, i = 1,2. Then there 
are executions a; and @ of A; and A2, respectively, such that, for i = 1, 2, trace(a;) = B[(E;, Wi). 
Decompose a into ote a -- +, decompose a2 into alala - --, and decompose £ into B°~ 
B'~p?~ --- in such a way that for each j, (1) trace(a/) = B/[(E;, Wi) for i € {1, 2}, (2) a} is either a 
trajectory or an action surrounded by point trajectories, i € {1,2}, and (3) if both ay and a consist of 
actions surrounded by point trajectories then these actions are identical. Axioms T1 and T2 imply that 
such decompositions exist. 


Now we define a sequence of execution fragments of A, æl, æl, ..., such that 

(1) al fstate € Oy, 

(2) for every nonfinal j, o/ .lstate = a/*! fstate, and 

(3) for every j, trace(a/) = B’. 

By Lemma 4.6, the concatenation a9 ~a!~..-is an execution of A. Moreover, by Lemma 3.9, the trace 
of this execution is £. To define each a/, we distinguish the following cases: 


(1) Each of a! and aj is a trajectory. 


8 See [59] for a detailed existence proof for similar decompositions. 
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Then suppose that a! = T, and a = 1). Define a/ to be the function t with domain dom(t,) such 
that t(t) = tı (t) U t2(t) for every t. (Compatibility of i and t2 follows here, and in the remaining 


three cases, from the facts that al = = B/[(E,, W1) and a3 = = Bİ [(E2, W2).) 
(2) a! isa eee: and aj is an action surrounded y point E 
Then al must be a point trajectory as well. Let al = = Q (V1) and a3 = = p(v2)ap (v5). Then define 
ox to be p (v1 U v2) a (vi U5). 
(3) aj is an action surrounded by point trajectories and aj is a trajectory. 
This is ee with the previous case. 
(4) Each of a and a is an action (the same in both cases) surrounded by point trajectories. 
Let al = = p (vp)ag (vi) and a} = = Q (v2)aQ (v5). Define a/ to be p (v1 Uv2) a Q (vi U v⁄). 
It is straightforward to verify that the a/ fragments satisfy the required properties. 


The following theorem describes a basic substitutivity property: 


Theorem 5.8. Suppose A, and Az are comparable HAs with A, < A2. Suppose B is an HA that is 
compatible with each of A, and Az. Then A,||B and A2\||B are comparable and A,\|B < Az2||B. 


Proof. The fact that A;||B and A2||B are comparable follows from the fact that A; and A2 are 
comparable and the definition of composition. 

Let $ € traces 4 B. By Theorem 5.7, B[(E1, W1) € traces 4, and B[(Eg, Wg) € tracesg. Since Ay < 
A2, BI(E1, W1) € traces4,. Since A; and Az have the same external interface, (E1, W1) = (E2, W2). 
Thus, B[(E£2, W2) € traces 4,. It follows from Theorem 5.7 that B € traces Ajg. 


Example 5.9 (Invariant for combined vehicle and controller). Consider again the composition of the 
Vehicle and Controller automata of Examples 4.2 and 4.3 (for the same e). In the composed automaton, 
it turns out that the velocity is always less than or equal to vmax, that is, in all reachable states, 


vel < vmax (12) 


This statement may be proved by induction on the length of closed execution fragments. In the proof, 
we use the fact that clock < d, which follows from the definition of Q. We also use assertions (3) and 
(11). In addition, we require the following auxiliary invariants: 


vel + (acc-suggested + €)(d — clock) < vmax (13) 
clock > 0 => acc < acc-suggested + € (14) 
vel-sensed = vel (15) 
0 < clock (16) 


Here the interesting assertion is (13), which says, essentially, that the velocity will stay less than or 
equal to vmax if the vehicle accelerates at the currently suggested acceleration plus e until the next 
recalculation. The main invariant (12) and the auxiliary invariants (13)-(16) can all be proved together. 
All are easily seen to be true in the initial state. There are two kinds of inductive steps, for discrete 
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suggest transitions and for trajectories. Discrete transitions are easily seen to preserve all the assertions; 
the most interesting property to show is invariant (13), which holds because of the constraints on the 
new suggested acceleration, the fact that vel-sensed = vel, and the fact that, in the new state, clock 
= 0. 

Trajectories also preserve all the assertions; now the interesting thing to show is the conjunction of 
(12) and (13). Depending on whether or not acc-suggested + € > 0, it suffices to show only (12) or only 
(13). For example, suppose acc-suggested + € > 0; we show the auxiliary invariant (13). The trajectory 
guarantees that vel! < vel + (acc-suggested + €)t and clock’ = clock + t, where t is the limit time of 
the trajectory and unprimed and primed instances of the variables are used (as usual) to indicate their 
values at the beginning and end of the trajectory, respectively. The inequality is based on the integral 
definition of vel in terms of acc and the relationship between acc and acc-suggested. Then 


vel’ + (acc—suggested’ + €)(d — clock’) 
= vel’ + (acc—suggested + €)(d — clock — t) 
= vel’ — (acc—suggested + €)t + (acc—suggested + €)(d — clock) 
< vel + (acc—suggested + €)(d — clock) 
< vmax (by inductive hypothesis). 


Note that, because of the two kinds of inductive steps, the inductive proof divides cleanly into separate 
parts that involve discrete and continuous reasoning. 


5.2. Hiding 


We define two hiding operations for hybrid automata, which hide external actions and external 
variables, respectively, and we prove that these operations respect the implementation relationship. The 
hiding operations reclassify external actions or external variables as internal actions or variables. 

e If EC Ey, then ActHide(E, A) is the HA B that is equal to A except that Eg = E4 — E and 

Hg = HAVE. 

e If W C Wa, then VarHide(W, A) is the HA B that is equal to A except that Wg = Wa — W and 

Tp = TA} (Va — W). 


Lemma 5.10. Let E C E4 and W C W4. Then ActHide(E, A) and VarHide(W, A) are HAs. 


Proof. This is a straightforward application of the definitions. 


The following lemma characterizes the traces of the automata that result from applying the hiding 
operations: 


Lemma 5.11. Let A be an HA. 
(1) IFE C Ezy then traceSpenide(e.A) = {BT (EA — E, VA) | B € traces A}. 
(2) fW © Wa then tracesvariide(w,A) = {Bl (AA, Wa — W) |B E traces 4}. 


Proof. For (1), first observe that ActHide(E, A) has the same set of executions as A. Then apply Lemma 
3.10. The proof of (2) is straightforward. 
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Theorem 5.12. Suppose A and B are HAs with A < B, and suppose E C E4 and W C W4. Then 
ActHide(E, A) < ActHide(E, B) and VarHide(W, A) < VarHide(W, B). 


Proof. Straightforward, using Lemma 5.11. 


Example 5.13 (implementing a velocity specification). In the composition of the Vehicle and Controller 
automata defined in Example 5.5, we may hide the acc-in variable used for communication between the 
two components. Thus, we define 


A=VarHide({acc-in}, Vehicle||Controller). 


In the resulting automaton A, the only external variable is vel-out. 

We may express the correctness of A by showing that it implements an abstract specification automaton 
VSpec, displayed in Fig. 6, that simply represents the constraint that the vehicle’s velocity is at most 
vmax. VSpec has one external variable vel-out, one state variable vel, and the sets of states and initial 
states both consist of all valuations satisfying vel < vmax. Both variables have type R and dynamic type 
equal to the (pasting closure of the) continuous functions. VSpec has no actions. 

The trajectories of VSpec are those that satisfy: 


vel-out = vel (17) 


We may argue that A implements VSpec using a simulation relation R. Most of the work has already 
been done by proving invariants in Example 5.9. Relation R relates states x 4 of A and xg of B £ VSpec 
exactly if x4 is a reachable state of A and xg(vel) = x4 (vel). It is easy to see that R satisfies the start 
condition of the simulation relation definition. The discrete step condition follows because discrete actions 
of A do not change vel. For the trajectory condition, assume x4 R xg and t is a trajectory of A with first 
state x 4. The definition of R implies that x4 is a reachable state of A. Therefore all states in trajectory t 
are also reachable states of A. Therefore, the invariant vel < vmax, which was proved for A in Example 
5.9, is also true of all states in t. Now define the corresponding execution fragment of B to consist of the 
single trajectory t’ such that t’ | vel = t’|vel-out = t | vel. This satisfies all the required properties. 


Example 5.14 (Sensor and discrete controller). We describe how to implement the Controller of 
Example 4.3, which receives continuous information about the vehicle’s velocity through vel-out and 
suggests accelerations, using two other components: a Sensor, which periodically samples the continuous 


Fig. 6. Specification automaton VSpec. 
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DiscreteController 


vel-out report(v) siable 3 acc-in 


: vel-reported : 


S suggest 


Fig. 7. The hybrid automata Sensor and DiscreteController. 


velocity information and produces discrete velocity reports, and a DiscreteController, which uses the 
discrete velocity reports and immediately suggests accelerations. These two components are displayed in 
Fig. 7. 

The Sensor automaton has state variables clock and vel-sensed, both initially 0, and external variable 
vel-out. All variables have type R and dynamic type equal to the (pasting closure of the) continuous 
functions. The set Q of states consists of all valuations in which clock < d. Sensor also has external 
actions report(v), v € R. D consists of report(v) steps specified by: 


clock = d (18) 
clock’ = 0 (19) 
v = vel-sensed (20) 


That is, when the clock reaches d, the Sensor may reset the clock to 0 and report the current velocity. Set 
T consists of trajectories that satisfy: 


clock = 1 (21) 
vel-sensed(t) = vel-out(t) fort > 0 (22) 


That is, the clock increases at rate 1 and the velocity sensed is exactly what is seen in vel-out. 

The DiscreteController HA has state variables vel-reported and acc-suggested, both discrete vari- 
ables of type R, initially 0, a discrete Boolean state variable stable, initially true, and one external 
variable acc-in, of type R and dynamic type equal to (the pasting closure of) the continuous func- 
tions. The state consists of all valuations of the internal variables. The DiscreteController also has 
external actions report(v), v € R, and an internal action suggest. D includes report(v) steps that 
satisfy: 


vel-reported’ = v (23) 
stable’ = false (24) 


and suggest steps that satisfy: 


stable = false (25) 
stable’ = true (26) 
vel-reported + (acc-suggested’ + €)d < vmax (27) 
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That is, a new velocity report sets the flag that triggers the DiscreteController to recalculate the suggested 
acceleration. Trajectories satisfy: 


stable(t) = stable(O) (28) 
stable(t) = true fort > 0 (29) 
acc-suggested =0 (30) 
acc-in = acc-suggested (31) 


That is, the DiscreteController does not allow time to pass if stable = false; it must perform a suggest 
action after receiving a report input and before time can pass. The DiscreteController does not change 
the suggested acceleration during a trajectory, and submits it accurately to its environment. Now define 


A=ActHide({report(v) | v € R}, Sensor||DiscreteController). 


We claim that A implements B £ Controller. We may argue this using the simulation relation 
R that relates states x4 of A and xg of Controller provided that x4 is a reachable state of A, 
xp(vel-sensed) = x ,4(vel-sensed), Xp(acc-suggested) = x 4(acc-suggested) and xp(clock) = x4 (clock) 
if x4(stable) = true, else d. A key to the argument is that a suggest step occurs in B when suggest 
occurs in A, rather than when a report occurs. 

Since A < Controller, Theorem 5.8 implies A|| Vehicle < Controller||Vehicle. Then Theorem 5.12 
implies 

VarHide({acc-in}, A|| Vehicle) < VarHide({acc-in}, Controller || Vehicle). 


Since, by Example 5.13, VarHide({acc-in}, Controller|| Vehicle) < VSpec, transitivity of implementa- 
tion implies that VarHide({acc-in}, A|| Vehicle) implements VSpec. 


6. Hybrid I/O automata 


In this section, we refine the hybrid automaton model of Section 4 by distinguishing between input and 
output actions and between input and output variables. The results on simulation relations and operations 
for hybrid automata presented in Sections 4.3 and 5 can be extended to this new setting. 


6.1. Definition of hybrid I/O automata 


Definition 6.1. A hybrid I/O automaton (HIOA) A is a tuple (H, U, Y, I, O) where 
e H=(W, X, Q, O, E, H, D, T) is a hybrid automaton. 
e U and Y partition W into input and output variables, respectively. 
Variables in Z = X U Y are called locally controlled; as before, we write V 2LWUX. 
e I and O partition E into input and output actions, respectively. 
Actions in L £ H U O are called locally controlled; as before we write A £ E U H. 
e The following additional axioms are satisfied: 
E1 (Input action enabling) 


For every x € Q and every a € 1, there exists x’ € Q such that xy. 
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E2 (Input trajectory enabling) 
For every x € Q and every v € trajs(U), there exists t € T such that t.fstate =x, tT/U <S v, 
and either 
(1) t)U =v, or 
(2) t is closed and some / € L is enabled in t./state. 


Input action enabling is the input enabling condition of ordinary I/O automata. Input trajectory 
enabling is a new, corresponding condition for interaction over time intervals. It says that an HIOA 
should be able to accept any input trajectory, that is, any trajectory for the input variables, either 
by letting time advance for the entire duration of the input trajectory, or by reacting with a locally 
controlled action after some part of the input trajectory has occurred. In Section 7, we will see that 
by repeated application of axiom E2 a HIOA is able to fully accept any input trajectory, possi- 
bly interleaved with locally controlled actions, provided the HIOA does not exhibit unwanted Zeno 
behavior. 

Note the role of dynamic types in axiom E2. Input trajectory enabling means that an automaton 
cannot restrict the inputs. The problem we hit is that with absolutely no way of restricting the in- 
puts, the inputs were just too ill-behaved. In examples, we typically want to be able to integrate 
the input to get the value of internal variables, but we cannot do this unless the input is integrable. 
Axiom E2 states that a HIOA needs to be able to accept any input trajectory in trajs(U). By definition, 
the trajectories in trajs(U), when projected on an individual variable u € U, must be in agreement 
with the dynamic type of u. For instance, by taking as the dynamic type of variables in U the set 
of piecewise smooth functions, we impose some rather minimal constraints on the input trajectories 
that allow us to give meaningful automaton definitions involving integrals, differential equations, 
etc. 

In control theory it is customary to require causality, that is, the output at time t depends only upon 
the input trajectory up to, and possibly including, time ¢ [71]. In our setting, there is no need to enforce 
causality explicitly since it is implied already by the closure of the set of trajectories under prefix and 
concatenation. Assume that in a trajectory t the output at time t “depends” on the input trajectory after 
t. By prefix closure of trajectories (axiom T1), t < ¢ is also a trajectory. Let x be the state of t at time t, 
and let v be any input trajectory. By axiom E2 there exists a trajectory t’ with first state x that agrees 
with v (at least up to a certain point). By axiom T3 the concatenation of t < t and t’ is again a trajectory. 
The output of this trajectory at time ¢ agrees with the output of t at time t, even though the subsequent 
inputs will in general be different. It follows that in t the output at time t does not depend on the input 
after t, a contradiction. Also note that our definition does not enforce functional dependence of outputs 
from inputs: HIOAs may be nondeterministic, allowing for several possible outputs for any given input 
trajectory. 

It will sometimes be convenient for us to consider automata in which inputs and outputs are dis- 
tinguished, but that do not necessarily satisfy the properties E1 or E2. We call such an automaton a 
pre-HIOA. 


Notation. As we did for HAs, we denote the components of a (pre-)HIOA A by Hy, Uy, Ya,..., Wa, 
Xa, Oa, Oy, etc., and those of a (pre-)HIOA A; by Hj, Ui, Y;,..., Wi, Xi, Qi, Oi, etc. We sometimes 
omit these subscripts, where no confusion is likely. We abuse notation slightly by referring to a (pre-)HIOA 
A as an HA when we intend to refer to HA. 
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Example 6.2 (Vehicle and controller HIOAs). The Vehicle HA of Example 4.2 can be converted into an 
HIOA by classifying acc-in as an input variable and vel-out as an output variable. Property E1, input 
action enabling, holds vacuously. It is also easy to see that E2 holds, in fact, the first alternative always 
holds—from any state the Vehicle automaton can accept any input trajectory. Note that, in order for E2 
to hold, it is essential that we do not require inclusion (2) to hold for initial states of trajectories. 
Similarly, the Controller HA of Example 4.3 can be converted into an HIOA by classifying vel-out 
as an input variable and acc-in as an output variable. Again, E1 holds vacuously. To see E2, consider a 
state x, and an input trajectory v. The definition of Q implies that x(clock) < d. Then the definition of 
the Controller trajectories implies that there is some trajectory t starting from x that is consistent with 
v and that either spans all of v or stops short, at a valuation v in which clock = d. Then the definition of 
the suggest transitions implies that this locally controlled action is enabled in v[ X, as needed. 


Example 6.3 (Sensor and discrete controller HIOAs). The Sensor automaton from Example 5.14 can 
be converted into an HIOA by classifying vel-out as an input variable and the report actions as output 
actions. The argument that Sensor is actually an HIOA is similar to the argument for the Controller in 
Example 6.2. 

Similarly, the DiscreteController automaton from Example 5.14 can be converted into an HIOA by 
classifying the report actions as input actions and the acc-in variable as an output variable. It is straightfor- 
ward to verify E1. E2 is not completely trivial, even though the automaton has no input variables: from 
any state x we must consider “null” input trajectories, which map a time interval to the empty valuation 
(the valuation for no variables). If x(stable) = true, then the DiscreteController can accept the entire 
input trajectory, and if x(stable) = false, then suggest is enabled in x. This implies E2. 


6.2. Executions, traces, and simulation relations 


An execution of a pre-HIOA A is defined to be an execution of H 4, a trace of A is a trace of H4, and 
similarly for execution fragments and trace fragments. We extend the notation execs 4, etc. to pre-HIOAs 
in the obvious way. Two pre-HIOAs A; and Az are comparable if their inputs and outputs coincide, that 
is, if 1 = h, Oj = O2, Uy = Ud, and Yı = Y2. If A; and Az are comparable, then A; < A2 is defined 
to mean that the traces of A, are included among those of A2: A; < A2 £ traces ‘A, © traces A. 


Lemma 6.4. Let A, and Az be two comparable pre-HIOAs. Then Hı and H2 are comparable and 
Ai < Ao if Hi SHa. 


Proof. Immediate from the definitions. 


The definition of simulation for pre-HIOAs is the same as for HAs. Formally, if A; and A? are 
comparable pre-HIOAs, then a simulation from A, to Az is a simulation from Hı to H2. 


Theorem 6.5. If A, and Az are comparable pre-HIOAs and there is a simulation from A, to Az, then 
Al < A. 


Proof. Immediate from the definition of simulation, Theorem 4.12, and Lemma 6.4. 
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6.3. Composition 


The definition of composition for HIOAs is based on the corresponding definition for HAs, but also 
takes the input/output structure into account. Just as for HAs, we allow an HIOA A; to be composed with 
an HIOA Ap only if the sets of internal actions and variables of A; are disjoint from the sets of actions 
and variables, respectively, of A2. In addition, in order that the composition operation might satisfy 
certain desirable properties (see, for example, the results in Section 6.5), we require that at most one 
component should “control” any given action or variable; that is, we allow A; and A2 to be composed 
only if the sets of output actions of A; and A? are disjoint and the sets of output variables of A; and A2 
are disjoint. 

Formally, we say that pre-HIOAs A, and Az are compatible if Hı and H2 are compatible and 


Yi N Y2 =O, N O2 = Ø. 


Lemma 6.6. If A, and A are compatible pre-HIOAs, then Hi and Ho are compatible HAs. 


Proof. Immediate from the definitions. 


If A; and Az are compatible pre-HIOAs then their composition A|| A2 is defined to be the tuple 
A =(H,U, Y, I, O) where 


e H = HillH2, 

e Y=Y,UY, 

e U = (U1 U U2) —- Y, 
e O = O; U O», and 
e I=(LUhh)-—O. 


Thus, an external action or variable of the composition is classified as an output if it is an output of one 
of the component automata, and otherwise it is classified as an input. 
The composition of two HIOAs (or pre-HIOAs) is guaranteed to be a pre-HIOA: 


Theorem 6.7. If A, and A are pre-HIOAs then A; || A2 is a pre-HIOA. 


Proof. Let A denote A; || A2. Lemma 5.2 implies that H = 71{1||H2 is an HA. By construction, U and 
Y form a partition of W and J and O form a partition of E. This suffices. 


Example 6.8 (Interfaces for compositions of HIOAs). When the Vehicle and Controller HIOAs from 
Example 6.2 are composed, the external interface of the resulting pre-HIOA consists of U = I = O = Ø 
and Y = {acc-in, vel-out}. When the Sensor and DiscreteController from Example 6.3 are composed, 
the external interface of the resulting pre-HIOA consists of U = {vel-out}, Y = {acc-in}, I = Ø, and 
O = {report(v) |v € R}. 


Composition of pre-HIOAs satisfies the following substitutivity result: 


Theorem 6.9. Suppose A, and A are comparable pre-HIOAs with A, < A2. Suppose B is a pre- 
HIOA that is compatible with each of A, and Az. Then A,||B and A 2\|B are comparable and A,||B < 
A2||B. 
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Proof. The fact that A; and A2 are comparable and the definition of composition for pre-HIOAs implies 
that A; ||B and A2||B are comparable. 

Since A, and A» are comparable and A; < A2, Lemma 6.4 implies that H 4, and H 4, are comparable 
and Ha, < Ha. Lemma 6.6 implies that HA, and Hg are compatible HAs and Ha, and Hg are 
compatible HAs. Theorem 5.8 then implies that H4, || < Ha, ||71s. By the definition of composition, 
it follows that 74, < Hag. Then the definition of implementation for pre-HIOAs implies that 
Aj ||B < AQ||B. 


We would like to show that the composition of two HIOAs is an HIOA; however, this is not true in 
general. Property E1 is preserved by composition: 


Lemma 6.10. Jf A; and A are pre-HIOAs that satisfy E1, then the composition A1 || A2 also satisfies 
El. 


Proof. Let A = A|| A2. Assume that A; and Az satisfy E1. We verify that A satisfies E1. Consider 

x € Q anda € I. We distinguish three cases. 

(1) a € l N h. By definition of composition, x[ X; € Q; fori € {1, 2}. Then by E1 applied to A;, there 
exists a state x; of A; such that (x[X i) ix). Let x’ £ x’, Ux4. We know that x’ is well defined since, 
by compatibility, X; N X2 = Ø. Then by definition of composition, x’ € Q and xx’, 

(2) a € h — h. By definition of composition, xf X; € Qı. By E1 applied to A4, there exists a state 
x| of A, such that (x[X Six). Let x’ £ x) U (x[X2). We know that x’ is well defined since, by 
compatibility, X; N X2 = Ø. Then by definition of parallel composition, x’ € Q and x-5x’. 

(3) a € h — I1. Symmetric to the previous case. 


However, E2 is not necessarily preserved by composition: 


Example 6.11 (Two HIOAs whose composition does not satisfy E2). Suppose that A; has no discrete 
actions, no state variables, one output variable vı and one input variable v2. All variables are of type R 
and dynamic type the (pasting closure of the) continuous functions. The sets Q; and ©, of states and start 
states consist of the unique valuation of the empty set of variables. The trajectories are all those functions 
that satisfy vı (t) = v2(t) + 1 for t > 0. It is easy to check that A; is an HIOA. Define Az symmetrically, 
with output variable v2 and input variable vı; A2’s trajectories are those that satisfy v2(t) = vı (t) + 1 
fort > 0. 

The composition pre-HIOA, A|| A2, does not satisfy E2. Satisfying E2 would require (since the 
composition has no discrete actions) that the composition include at least one trajectory with limit time 
oo starting from the initial state. However, no such trajectory exists, because the combined constraints 
are inconsistent for every t > 0. 


As a way out of the difficulties noted in Example 6.11, we might consider introducing a static 
dependency relation < 4 between the external variables of a hybrid automaton. If x <4 y then the 
value of y is allowed to depend without delay on the value of x. As an additional condition for 
compatibility of A and B, we would then require that A and B do not share variables x and y 
such that x < Ay and y <gx. This approach, which is followed, for example, in the Masaccio 
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language of [33], would rule out the above example. However, it would also rule out any form of 
dynamic feedback as studied in control theory (for instance, PID control) [79]. We therefore think 
that this static approach is overly restrictive. Within control theory there is no generally applicable 
syntactic criterion to test whether combinations of differential and algebraic equations are well-defined; 
consequently, we have no simple criterion to test whether the composition of two HIOAs satisfies 
E2. 

As a technical way out of the difficulty, we define a stronger notion of compatibility. Namely, we 
say that compatible pre-HIOAs A; and A are strongly compatible if Aj||Az2 satisfies axiom E2. Strong 
compatibility says that any input trajectory v of the composition must be acceptable by the composition: 
the two component automata are able to evolve together, following the input trajectory v, in such a way 
that either they accept all of v or else they accept part of v, up to a point where one of them can interrupt 
with a locally controlled action. 


Theorem 6.12. If A; and A are strongly compatible HIOAs, then A; || A2 is an HIOA. 


Proof. Lemma 6.7 implies that the composition is a pre-HIOA. Lemma 6.10 implies that the composition 
satisfies E1. Property E2 follows immediately from strong compatibility. 


Strong compatibility is a technical notion. By itself, it does not seem to be very useful, because checking 
it involves verifying compatibility between the continuous dynamics of two systems. In Section 6.5, we 
give some sufficient conditions for strong compatibility that are easier to check. 


6.4. Hiding 


The definitions of variable and action hiding extend to any pre-HIOA A. For input/output automata, 

we allow hiding outputs only (but not inputs): 
(1) If O C Oy, then ActHide(O, A) is the pre-HIOA B that is equal to A except that Og = O4 — O 

and Hg = H4 U O. 
(2) If Y C Y4 then VarHide(Y, A) is the pre-HIOA B given by: 

e Hg = VarHide(Y, Ha). 

e Yg=Y4-Y. 

e Ug = U1, Ig = I4, and Og = O4. 


Lemma 6.13. Suppose A is a pre-HIOA, O C Oy, and Y C Y4. Then: 
(1) ActHide(O, A) and VarHide(Y, A) are pre-HIOAs. 

(2) If A satisfies E1 then so do ActHide(O, A) and VarHide(Y, A). 

(3) If A satisfies E2 then so do ActHide(O, A) and VarHide(Y, A). 


Lemma 6.14. Let A be a pre-HIOA. 
(1) f O © Oa then traceSpcide(o,A) = {BI (Ea — O, VA) |P E traces 4}. 
(2) fY C Y4 then tracesyanidey,A) = {B[(Aa, Wa — Y)|B € traces y}. 


Proof. Straightforward, see also the proof of Lemma 5.11. 
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Theorem 6.15. Suppose A and B are pre-HIOAs with A < B, and suppose O C O4 and Y C Y4. 
Then ActHide(O, A) < ActHide(O, B) and VarHide(Y, A) < VarHide(Y, B). 


Proof. Straightforward, using Lemma 6.14. 


Example 6.16 (Interfaces for automata with hiding). In Example 5.14, we defined the HA B£ 
VarHide({acc-in}, A|| Vehicle), where 


A = ActHide({report(v) | v € R}, Sensor||DiscreteController). 


This models the three-way composition of the sensor, discrete controller, and vehicle, with the internal 
report actions and acceleration suggestions hidden. If we interpret the three automata as HIOAs, then 
these definitions still make sense because the actions and variables that are hidden are outputs. The 
external interface for A is given by U4 = {vel-out}, Y4 = {acc-in}, and 14 = O4 = Ø, and the external 
interface for B is given by Ug = Ig = Og = Ø and Yg = {vel-out}. 


6.5. Sufficient conditions for strong compatibility 


Checking strong compatibility of two HIOAs can be difficult because it requires checking compatibility 
between the continuous dynamics of two systems. However, for certain restricted classes of HIOAs, strong 
compatibility is implied by compatibility, which is easy to check. 


Example 6.17 (HIOAs for which compatibility implies strong compatibility). It is routine to verify that 
two HIOAs without input variables are strongly compatible if and only if they are compatible. In the 
classical control theory setting, a system without input variables is uninteresting because it cannot be 
controlled. However, in the hybrid setting, such a system can still interact with its environment via discrete 
input actions. Linear hybrid automata as described in [3,4], for instance, have no input variables. 
Symmetrically, two HIOAs without output variables are strongly compatible if and only if they are 
compatible. The same equivalence holds if one of the HIOAs has no input variables and the other has no 
output variables, or if one has no external variables at all. 


The following theorem generalizes all the claims in Example 6.17. It applies to pairs of HIOAs that 
cannot mutually affect each other because the output variables of one are disjoint from the input variables 
of the other. 


Theorem 6.18. Let A, and Az be two compatible HIOAs such that Uj N Y2 = Ø. Then A, and A are 
strongly compatible. 


Proof. Let A denote A;||A2. We need to show that A satisfies E2. Let x be a state of A and let v 
be a trajectory in trajs(U). Since U; N Y2 = Ø, the definition of composition implies that U; C U. By 
E2 applied to A4, there exists a trajectory t1 € 71, with t .fstate = x[ X; that is pointwise compatible 
with v and such that either dom(t,) = dom(v), or else dom(t,) C dom(v), tı is closed, and a locally 
controlled action of A; is enabled in 7 ./state. 

Let v2 be ((v[dom(t1)) Ù t1) U2. That is, v2 is an input trajectory for Az. Each input variable of A» 
is either an input variable of A or an output variable of A,; the valuations in v2 for those that are inputs 
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of A are obtained from v, whereas the valuations for those that are output variables of A; are obtained 
from t1. By E2 applied to Az, there exists a trajectory t2 € J2, with t2.fstate = x[ X2, that is pointwise 
compatible with v2 and such that either dom(t2) = dom(v2), or else dom(t2) C dom(v2), T2 is closed, 
and a locally controlled action of Az is enabled in t2./state. 

In the second case, (t1 [dom(t2)) Ù T2 is a trajectory of 7 that starts from x, is pointwise compatible 
with v, is closed, and enables a locally controlled action of A (in particular, of A2) in its last state. In 
the first case, t1 U T is a trajectory of T that starts from x, is pointwise compatible with v, and either 
spans all of v or is closed and enables a locally controlled action of A (in particular, of A;) in its last 


state. This shows that A satisfies E2. O 


We can also consider HIOAs that do not exhibit any dependencies between inputs and outputs during 
a trajectory. In particular, the values of the input variables should affect neither the values of the output 
variables nor the amount of time that elapses until a locally controlled action is enabled. Formally, we 
say that an HIOA A is oblivious if it satisfies the following axiom: 


OBL For all t € T and v € trajs(U) with dom(t) = dom(v), there exists t’ € T such that: 

(elo =v. 

(2) TY =T}Y. 

(3) If t is closed and some locally controlled action is enabled in t./state then some locally controlled 
action is enabled in t’.lstate. 


Theorem 6.19. Let A, and A be two compatible HIOAs and suppose that A, is oblivious. Then A, 
and A are strongly compatible. 


Proof. Let A denote A || A2. We need to show that A satisfies E2. Let x be a state of A and let v be a 
trajectory in trajs(U). Let vı be any trajectory of trajs(U7) that is pointwise compatible with v and such 
that dom(v,) = dom(v). By E2 applied to A, there exists a trajectory t1 € 71, with t1 .fstate = x[ X1, that 
is pointwise compatible with vı and such that either dom(t,) = dom(v;), or else dom(t,) C dom(v,), 
tı is closed, and a locally controlled action of A, is enabled in 1 ./state. 

Let v be ((v[dom(t,)) Ü t))U2. By E2 applied to A2, there exists a trajectory t2 € Ts, with 
T2 fstate = X| X2, that is pointwise compatible with v2 and such that either dom(t2) = dom(v2), or else 
dom(t) C dom(v2), T2 is closed, and a locally controlled action of Az is enabled in t2.lstate. 

Let v| be ((v[dom(t2)) Ü t2))U,. By OBL applied to A4, there exists a trajectory ti € Ti such 
that t; ĻU1 = vy, ti} Y1 = (tı [dom(t2))Ļ Y1, and if tı [dom(t2) is closed and some locally controlled 
action of A; is enabled in its last state, then some locally controlled action is also enabled in tį .lstate. It 
follows that t; and t2 are pointwise compatible, and that ti Ù t3 is a trajectory in T that starts from x 
and is pointwise compatible with v. We claim that ti U t satisfies the requirements for E2. We consider 
cases: 

(1) dom(t2) C dom(v2). 
Then ti U 12 is closed and enables a locally controlled action (of A2) in its last state, which satisfies 
the requirements for E2. 

(2) dom(t2) = dom(v2)(= dom(t1)). 
We consider two subcases. First, if dom(t,) C dom(v), then tT, is closed and enables some locally 
controlled action (of A;) in its last state. By axiom OBL, some locally controlled action is also 
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Fig. 8. Hybrid Control System. 


enabled in Ti Ù t.Istate, which suffices for E2. In the other subcase, if dom(t1) = dom(v), then 
Tti Ù t2 spans all of v, which again suffices for E2. 


Example 6.20 (Oblivious controller). The Controller HIOA of Example 4.3 and 6.2 satisfies OBL. 
During any trajectory t of Controller, velocity information arrives in vel-out but does not affect the 
Controller’s output; the output is only changed when a (locally controlled) suggest transition occurs. 
Enabling of the suggest action is not affected by changes in vel-out, but only by the value of clock. 
Because Controller is oblivious and compatible with the Vehicle HIOA, Theorem 6.19 implies that 
Vehicle and Controller are strongly compatible. It follows that their composition, Vehicle||Controller, is 
an HIOA. 


Example 6.21 (Plant and controller). Fig. 8 displays a standard scenario studied in control theory 
involving a plant P controlled by a digital controller C. The interface from the controller to the plant is 
given by a digital/analog converter D, while the interface from the plant to the controller is given by an 
analog/digital converter A. The controller C monitors the input variables and changes its output variables 
only at the clock ticks via some discrete transitions. Thus, C satisfies OBL. The output variables of A 
are disjoint from the input variables of both P and D, and the output variables of P are disjoint from the 
input variables of D. Thus, if P, C, A, D are pairwise compatible, then P and A are strongly compatible 
(by Theorem 6.18), P||A and D are strongly compatible (by Theorem 6.18), and ((P||.A)||D) and C are 
strongly compatible (by Theorem 6.19). Hence, ((P||.A)||D)||C is an HIOA. 


Example 6.22 (Lipschitz HIOAs). We may define a subclass of HIOAs called Lipschitz HIOAs, in which 
some of the state variables are discrete “mode” variables, and in which, for each mode, the rest of the 
variables evolve according to a system of differential equations based on globally Lipschitz functions. 
We may restrict this class further by imposing a bound on the range of the input variables (by restricting 
their dynamic types), thus obtaining the set of input-bounded Lipschitz HIOAs. Then it is possible to 
show that two compatible input-bounded Lipschitz HIOAs are strongly compatible, which implies that 
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the composition of two compatible input-bounded Lipschitz HIOAs is a (Lipschitz) HIOA. A careful 
development will be reserved for another paper. 


7. Receptive hybrid I/O automata 


In this section, we define the notion of receptiveness for HIOAs. An HIOA will be defined to be 
receptive provided that it admits a strategy for resolving its nondeterministic choices that never generates 
infinitely many locally controlled actions in finite time. This notion has two important consequences: 
First, a receptive HIOA provides some response from any state, for any sequence of discrete input actions 
and input trajectories. This implies that the automaton has a nontrivial set of execution fragments, in 
fact, it has execution fragments that accommodate any inputs from the environment. The automaton 
cannot simply stop at some point and refuse to allow time to elapse; it must allow time to pass to 
infinity if the environment does so. Second, receptiveness is closed under composition. Previous studies 
of receptiveness properties include [1,21,54,74]. 

If HIOA A implements HIOA B and if A is receptive, then besides preservation of “may” properties 
(any trace of A is also a trace of 6) we also have preservation of “must” properties. For instance, 
if in B an input action a always must be followed by an output b within 10 time units, then this 
property will also hold for A: (1) since A is input enabled it will always accept input a, (2) since A is 
receptive it will never end up in a time deadlock or a Zeno execution; time can always advance, (3) A 
must always perform a b before or at time 10 since otherwise a trace is generated that is not allowed 
by B. 

We formally define receptiveness by first defining what it means for an HIOA to be progressive. A 
progressive HIOA never generates infinitely many locally controlled actions in finite time. Thus, in all 
of its execution fragments, it allows time to pass to infinity provided that its environment also does so. 
We then define a strategy for resolving nondeterministic choices, and define receptiveness in terms of 
the existence of a progressive strategy. 

The treatment of receptiveness in this paper is much simpler than that in previous papers. One reason is 
that we address only the generation of admissible executions here, rather than general liveness properties. 
Also, we formulate strategies as restricted automata, rather than introducing separate definitions based 
on two-player games. 


7.1. Progressive HIOAs 


We say that an execution fragment of a pre-HIOA is locally Zeno if it is Zeno and contains infinitely 
many locally controlled actions, or equivalently, if it has finite limit time and contains infinitely many 
locally controlled actions. A pre-HIOA A is progressive if it has no locally Zeno execution fragments. 

The following lemma says that any progressive pre-HIOA that satisfies E2, and therefore any HIOA, 
is capable of following any input trajectory. 


Lemma 7.1. Let A be a progressive pre-HIOA that satisfies property E2, let x be a state of A, and let 
v € trajs(U). Then there exists an execution fragment a of A such that a fstate = x and a[(I, U) = v. 
(Here v denotes the hybrid sequence consisting of the single trajectory v. Recall that we write a for a 
sequence consisting of just a.) 
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Proof. We construct a finite or infinite sequence ao, a1, ... of execution fragments of A such that: 
(1) ao.fstate = x. 
(2) For every nonfinal index i, a;.lstate = aj+, state. 
(3) For every i > 0, (a9 a1” ---~ aj) [U, U) S v. 
(4) For every i > 0, either (a~a1~ ---~ aj) [U, U) = v or a; includes a locally controlled action. 
The construction is carried out recursively. To define ao, we begin with state x and use E2 either to span 
all of v, or to span a prefix of v and then perform a locally controlled action. For i > 0 (assuming that 
we have not already spanned all of v), we define a; by beginning with a;_;./state and using E2 either to 
span the entire suffix of v starting from ao” - --~a;—1./time, or to span a prefix of that suffix and then 
perform a locally controlled action. 
Now we consider two cases: 
(1) The construction ends after a finite number of stages, having spanned all of v, say with a, as the last 
execution fragment in the sequence. 
In this case, the concatenation aj a1~--- ~ ax satisfies the conditions of the lemma. 
(2) The construction proceeds through infinitely many stages. 
In this case, the execution fragment œ = a9~a~ - - - contains infinitely many locally controlled 
actions. Since A is progressive, it must be the case that a./time = oo, and therefore a[(/, U).ltime 
= oo. Since the set of trajectories for U is a cpo, œ| (I, U) < v. Since af, U) < v, and a 
[(I, U).ltime = œ, it follows that a[(7, U) = v, as needed. 


The following theorem says that a progressive HIOA is capable of following not just individual input 
trajectories, but entire input hybrid sequences. 


Theorem 7.2. Let A be a progressive HIOA with state x, and let p be an (I, U)-sequence. Then there 
exists an execution fragment a of A such that a.fstate = x anda[(I, U) = B. 


Proof. Let 6 = to a1 T a2 T2... We define a finite or infinite sequence ao, a1, ... of execution frag- 
ments of A such that: 
(1) ao.fstate = x. 
(2) For every nonfinal index i, a;.lstate = aj+ .fstate. 
(3) For every i, (ao a1” ---~ aj) [U, U) = To 41 T1 a2 T2... Ti. 
The construction is carried out recursively. To define ao, we begin with x and use Lemma 7.1 to span 7. 
For i > 0, we define a; by starting with a;_1./state, using property E1 to perform action a; and move to 
a new state, and then using Lemma 7.1 to span 7;. 

Let a = ay” a,” ---. By Lemma 3.8 we conclude that a[ (J, U) = £, as needed. 


The property asserted in Theorem 7.2 has been called I/O feasibility elsewhere in the literature [59]. 
Thus, we define a pre-HIOA to be //O feasible provided that, for each state x and each (J, U)-sequence 
B, there is some execution fragment @ such that a.fstate = x anda[(/, U) = 6B. Theorem 7.2 may then 
be restated as: 


Corollary 7.3. Every progressive HIOA is I/O feasible. 


T/O feasibility implies that any finite execution fragment can be extended to an admissible execution 
in response to any admissible input from the environment. A related, weaker property that has also been 
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studied is feasibility [57]. In terms of our model, we may say that a pre-HIOA is feasible provided that, 
for each state x, there is some admissible execution fragment @ such that a.fstate = x. 

Feasibility implies that any finite execution fragment can be extended to some admissible execution 
fragment—no constraints are imposed on the inputs. Observe that any I/O feasible HIOA must be feasible, 
as long as the dynamic type of each input variable includes at least one admissible trajectory. Feasibility 
should be regarded as a minimal liveness requirement that any reasonable HIOA should satisfy. I/O 
feasibility is a strengthened version of feasibility that takes inputs into account. 

Closure under composition is easy to show: 


Theorem 7.4. If A; and A are compatible progressive pre-HIOAs, then their composition is also 
progressive. 


Proof. Let A be A|| A2. Suppose for the sake of contradiction that A is not progressive. Then, 
by definition, A has a locally Zeno execution fragment a, that is, œ contains infinitely many locally 
controlled actions of A. Therefore, a contains either infinitely many locally controlled actions of A; 
or infinitely many locally controlled actions of Az. Suppose without loss of generality that œ contains 
infinitely many locally controlled actions of A. Then, by Lemma 5.3 and the definition of restriction, 
a[(A1, Vj) is a time-bounded execution fragment of A; with infinitely many locally controlled actions, 
that is, a locally Zeno execution fragment of A;. This contradicts the assumption that A, is progressive. 


Example 7.5 (Progressive and non-progressive pre-HIOAs). The Vehicle HIOA is obviously progressive 
because it has no discrete actions. The Controller and Sensor HIOAs are progressive because their locally 
controlled actions are separated in time. The DiscreteController HIOA is not progressive, because if 
report inputs arrive in a Zeno fashion, the DiscreteController may respond by performing suggest 
internal actions in a Zeno fashion. However, the composition Sensor||DiscreteController is progres- 
sive. 

Consider a more nondeterministic version of Sensor, NSensor, that is allowed to perform report 
actions for any value of clock (< d), rather than just for clock = d. Formally, N Sensor is identical 
to Sensor except that condition (18) is dropped. N Sensor is not progressive, because it may perform 
infinitely many report actions in finite time. Also, the composition of N Sensor with DiscreteController 
is not progressive. 


7.2. Strategies 


In this subsection, we define the notion of a strategy, which provides a way to resolve some of 
the nondeterministic choices in a pre-HIOA. We will use strategies in the next subsection to define 
receptiveness. 

We define a strategy for a pre-HIOA A to be an HIOA A’ that differs from A only in that D’ C D and 
T’ CT. That is, we require: 

e D' CD. 
e T'CT. 
e W = W', X = X', Q = 0 0 = Ø', E = F', H = H', U = U’, Y = Y', I =f and O = O”. 
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Our strategies are nondeterministic and memoryless. They serve to choose some of the evolutions that 
are possible from each state x of A. The fact that the state set Q’ of A’ is the same as the state set Q of 
A implies that A’ chooses evolutions from every state of A. 

Strategy notions have been used elsewhere in defining receptiveness, for example, in [1,21,74]. In this 
earlier work, strategies have been formalized using two-player games rather than restricted automata. 
Defining strategies using automata instead of two-player games allows us to avoid introducing extra 
mathematical machinery. A drawback of our approach is that it is not applicable in a setting with general 
liveness properties. 


Lemma 7.6. If A’ is a strategy for A, then every execution fragment of A’ is also an execution fragment 


of A. 


Theorem 7.7. Let A, and A2 be two compatible pre-HIOAs with strongly compatible strategies A’, 
and A’, respectively. Then A’ || A; is a strategy for A,\|Az2. 


Proof. Let A denote A;||A2 and let A’ denote A‘ || A). Since A| and A, are strongly compatible, 
Theorem 6.12 implies that A’ is an HIOA. From the definitions of composition and strategy, A’ differs 
from A only in that D’ C D and T’ C T. Then the definition of strategy implies that A’ is a strategy for 
A. 


Lemma 7.8. Let A, and A be two compatible pre-HIOAs with strongly compatible strategies A and 
Ay, respectively. Then A, and Ay are strongly compatible. 


Proof. Let A denote Aj||A2 and let A’ denote A‘ ||A5. Theorem 7.7 implies that A’ is a strategy for 
A. Since A and A‘, are strongly compatible, their composition A’ satisfies E2. We show that also A 
satisfies E2. 

Let x € Q and let v € trajs(U). Then since A’ is a strategy for A, we have Q’ = Q and U’ = 
U, Y'= Y, and so x € QO’ and v € trajs(U’). Since A’ satisfies E2, there exists t € T’ such that 
t.fstate = x, TU’ < v, and either t} U’ = v, or else t is closed and some / € L’ is enabled (in A’) in 
t.lstate. 

Since A’ is a strategy for A, it follows that also t € 7, t}ĻU < v, and either t|U = v, or else t is 
closed and some / € L is enabled (in A) in t./state. Therefore, A satisfies E2, that is, A, and A2 are 
strongly compatible. 


Example 7.9 (Strategy for nondeterministic sensor). The Sensor HIOA defined in Example 5.14 is a 
strategy for the N Sensor HIOA defined in Example 7.5. 


7.3. Receptive HIOAs 
Finally, we define a pre-HIOA to be receptive if it has a progressive strategy. 
Example 7.10 (Receptive and non-receptive HIOAs). The NSensor HIOA of Example 7.5 is not pro- 


gressive, but it is receptive. That is because the original Sensor HIOA, as defined in Example 5.14, is a 
progressive strategy for NSensor. 
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The DiscreteController HIOA is not receptive: because any strategy for it must satisfy E1 and E2, 
such a strategy must be able to perform discrete steps in response to any report input, and so must be 
capable of performing infinitely many suggest actions in finite time. 

Consider a variant NDController of DiscreteController that has its own clock and may wait any 
amount of time, up to a fixed d’ (> 0), to respond to each report input with a new suggest. (Several 
reports may occur in succession; a single suggest may be used to handle all of them, as long as it occurs 
within time d’ of the first of these reports.) NDController is not progressive, because it has the option of 
responding immediately to reports, and thus may generate infinitely many suggestions in finite time. It 
is receptive, however, using a progressive strategy that always waits the maximum allowed time before 
generating a suggestion. 


The two most important general properties of receptive HIOAs are expressed by the following 
two theorems. The first expresses nontriviality—that any receptive HIOA (or pre-HIOA) can respond 
to any inputs from the environment. The second theorem shows that receptiveness is preserved by 
composition. 


Theorem 7.11. Every receptive pre-HIOA is I/O feasible. 


Proof. Let A be a receptive pre-HIOA. By definition of receptive, there exists a progressive strategy A’ 
for A. Since A’ is a progressive HIOA, Corollary 7.3 implies that A’ is I/O feasible. We show that also 
A is I/O feasible. 

Let x € Q and let $ be an (J, U)-sequence. Then since A’ is a strategy for A, we have Q’ = Q, 
I' = I, and U’ =U, and so x € Q’ and £ is an (J’, U’)-sequence. Since A’ is I/O feasible, there is 
some execution fragment a of A’ such that a,fstate = x and a[(/’, U^) = B. By Lemma 7.6, œ is also 
an execution fragment of A. Since A’ is a strategy for A, it follows that w[(/, U) = B. Therefore, A is 
I/O feasible. 


The question of whether the converse of Theorem 7.11 holds is still open. Finally, we have our theorem 
about composability of receptive HIOAs: 


Theorem 7.12. Let A; and A2 be two compatible receptive HIOAs with strongly compatible progres- 
sive strategies A, and A}, respectively. Then Aj||A2 is a receptive HIOA with progressive strategy 
Aj || A. 


Proof. Let A and A’ denote A; || A2 and A’ ||A5, respectively. The fact that A is an HIOA follows from 
Lemma 7.8 and Theorem 6.12. Theorem 7.7 implies that A’ is a strategy for A. Theorem 7.4 and the fact 
that A‘ and A’, are progressive implies that A’ is progressive. Thus, A is a receptive HIOA and A’ is a 
progressive strategy for A. 


Example 7.13 (Composition of receptive sensor and receptive discrete controller). As noted in Example 
7.10, both NSensor and NDController are receptive, using progressive strategies that always wait 
the maximum allowed amount of time. These two strategies are strongly compatible, by Theo- 
rem 6.18. Therefore, by Theorem 7.12, the composition NSensor||NDController is a receptive HIOA 
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with a progressive strategy that is the composition of the two progressive strategies for the two 
pieces. 


8. Conclusions 


In this paper, we have defined a new hybrid I/O automaton (HIOA) modeling framework for describing 
and reasoning about the behavior of hybrid systems. Many future research directions remain. 

First, the expressive and analytical power of the new model should be tested further by using it to 
describe and analyze many more examples. These should include many of the examples that have been 
used as illustrations elsewhere in the hybrid systems literature. The automated transportation examples 
studied using the previous version of the HIOA model should be revisited using the new model to see 
what changes arise, and new and more ambitious case studies should be attempted. 

It would be interesting to define and prove formal relationships between the HA and HIOA models of 
this paper and other models of hybrid systems, including those of [3,8,13,14,38,63]. Also, one can define 
a timed input/output automaton model by simply restricting the HIOA model of this paper so that it does 
not include any external variables. It remains to consider the formal relationship between this model and 
other timed automaton models, for example, those of [1,5,60,65,74]. 

It would also be useful to incorporate additional analysis methods, including assume-guarantee 
reasoning [16,36] and a variety of methods from control theory, into the HIOA framework. Control 
theory methods to consider should include Lyapunov stability analysis methods [79] and robust control 
methods [23]. Results about these methods should be formulated in terms of HIOAs, and the methods 
should be extended where necessary in order to accommodate a combination of discrete and continuous 
behavior. 

Other extensions of the HIOA framework are also desirable. In some prior work (e.g. [1,21,74]), 
strategies are used to describe how a system interacts with its environment to guarantee that the outcome 
of the interaction satisfies a target liveness property. In this paper, we do not consider general liveness 
properties, but only the special case of admissibility. It remains to extend the theory to more general 
liveness properties. Another important extension would be the addition of probabilities, which would 
make it possible to model and analyze probabilistic hybrid systems. Such an extension could be used, for 
example, to prove bounds on the probability of errors in safety-critical real-time systems. This extension 
appears to be a very challenging problem. 

Future work will include tool support for modeling and analysis as described in this paper. This will 
include a formal modeling language based on HIOA, with constructs similar to those used in the examples 
of this paper, and connections to a theorem prover. A preliminary language proposal appears in [68]. 
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Appendix A 


A.1. Notational conventions 
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action 

element of some set 
function 

index 

natural number 

locally controlled action 
time point 

input variable 

variable 

external variable 
internal variable 

output variable 

local variable 

set of actions 

set of discrete transitions 
set of external actions 
set of functions 

set of internal (hidden) actions 
set of input actions or index set 
interval or index set 

set of time points 

set of locally controlled actions 
set of output actions 

set of elements in cpo 
set of automaton states 
(simulation) relation 

set 

set of trajectories 

set of input variables 

set of variables 

set of external (Dutch: waarneembare) variables 
set of internal variables 
set of output variables 
set of local variables 
state 

valuation 

hybrid (I/O) automaton 
hybrid automaton 

set of trajectories 

the natural numbers 

the real numbers 

the time axis 

the integers 

the universe of variables 
hybrid sequence 
sequence 

the empty sequence 
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T projection function 
p,a sequence 

t,u trajectory 

set of start states 
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